Implement Application Control on Secure Servers
Ensure servers not connected to the internet have application control for security.
Plain language
This control ensures that applications on servers not connected to the internet are managed carefully to prevent unauthorised programs from running, which could lead to data breaches or operational disruptions. This is important because if these unmanaged applications run unchecked, they could introduce malware or cause other security issues that are hard to detect and manage since the servers are isolated from the internet.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is implemented on non-internet-facing servers.
Why it matters
Uncontrolled applications on non-internet-facing servers can introduce malware, leading to data breaches and operational disruptions.
Operational notes
Regularly audit application control allowlists on non-internet-facing servers; alert on blocked executions and investigate newly installed binaries.
Implementation tips
- System owners should identify all applications necessary for business operations on the server. Create a list of approved applications by consulting with department heads to ensure no essential software is overlooked.
- The IT team should configure the server to only allow the execution of these approved applications. Use security software that can enforce this rule and regularly update it to include new authorised applications.
- Managers should hold regular check-ins with the IT team to ensure the application list is current. This can be done through quarterly reviews to capture any changes in software needs or updates.
- The IT team should ensure there is a monitoring process in place to alert them of any attempts to run unapproved applications. Implement alerts that notify the appropriate personnel immediately when an unauthorised application is detected.
- System owners should plan and conduct training sessions for all relevant staff on the importance of application control. Use real-life scenarios to illustrate the risks of failing to adhere to approved applications lists.
Audit / evidence tips
-
Aska copy of the approved applications list for the server: Ensure it is comprehensive and agrees with business needs
GoodA current, dated list that matches the latest software needs of the organisation
-
GoodSettings show clear restriction to only approved software, with automated alerts for any breaches
-
Askhow the IT team monitors application use
GoodLogs show regular checks without any unauthorised application incidents over the last review period
-
GoodMeeting minutes showing discussions and decisions on applications list updates
-
Askrecords of staff training on application control
GoodTraining records showing high participation and topics covering real-world risks and application control measures
Cross-framework mappings
How ISM-1656 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML1.1 | ISM-1656 requires application control on non-internet-facing servers to prevent unauthorised application execution in secure server contexts | |
| E8-AC-ML2.1 | ISM-1656 requires application control to be implemented on non-internet-facing servers to reduce execution of unauthorised software in se... | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML2.2 | ISM-1656 requires application control to be implemented on non-internet-facing servers to stop unapproved code from running | |
| link Related (2) expand_less | ||
| E8-AC-ML3.1 | ISM-1656 requires organisations to implement application control on non-internet-facing servers to prevent unauthorised code from executi... | |
| E8-AC-ML3.2 | E8-AC-ML3.2 requires application control to restrict the execution of drivers to an organisation‑approved set to prevent unauthorised cod... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.