Prevent Unauthorised Application Installations by Users
Regular users cannot install apps unless they are approved, keeping systems secure.
Plain language
This control ensures that regular users in your organisation can't install new applications unless they've been given the green light. It matters because if unauthorised apps are installed, it could lead to security breaches, put sensitive data at risk, or cause system disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ManagementOfficial control statement
Unprivileged users do not have the ability to install unapproved applications.
Why it matters
Allowing users to install unapproved applications can introduce malware, enable data leakage, and create unauthorised access pathways across endpoints.
Operational notes
Enforce application allowlisting and remove local admin rights; regularly review approved apps and alert on unauthorised installation attempts.
Implementation tips
- IT team should disable application installation rights for ordinary user accounts. Do this by setting strict permissions on user accounts, preventing them from installing applications without admin rights.
- System administrators should implement an application whitelisting policy. To do this, create a list of approved applications that users can install and regularly update this list based on business needs and security evaluations.
- Managers should work with the IT team to educate staff about the policy. Organise training sessions to explain why only approved applications can be installed and how to request approvals for new applications.
- Procurement should coordinate with the IT team when acquiring new software. Ensure all potential applications are assessed for security risks before being put on the approved application list.
- IT team should routinely monitor and review installed applications. Use system tools to check for unauthorised installations and quickly address any policy breaches.
Audit / evidence tips
-
Askthe list of approved applications: Request to see the current list of applications that users are permitted to install
Goodis a comprehensive list that reflects recent software evaluations and approvals
-
Askto see user account permission settings
Goodsetup should clearly show restricted access unless verified by IT
-
Askrecords of application installation requests: Review how requests for new applications have been handled and documented. Good practice involves decisions being made based on risk assessments and captured in a request log
-
Askto see user training materials: Request the content used to educate employees about this control
Goodincludes records of training sessions and materials that clearly explain the no-install policy
-
Askto see monitoring reports: Request reports or logs showing surveillance of application installations. These should reveal any unauthorised activities and the actions taken, demonstrating proactive management
Cross-framework mappings
How ISM-1592 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires that use of utility programs capable of overriding system and application controls is restricted and tightly contro... | |
| Annex A 8.19 | Annex A 8.19 requires secure management of software installation on operational systems, including preventing unauthorised or risky installs | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML1.2 | E8-AC-ML1.2 requires application control in user profiles and temporary folders to prevent unapproved software from executing out of comm... | |
| E8-AC-ML1.3 | ISM-1592 requires that unprivileged users cannot install unapproved applications | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.