Restrict Application Execution to Approved Set
Only approved software and scripts can run, enhancing system security.
Plain language
This control ensures that only approved software is allowed to run on your organisation's computers. It's important because if unauthorised programs are executed, they could introduce viruses or allow hackers to steal information, causing serious business disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control restricts the execution of executables, libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
Why it matters
Without application control (approved allow list), unauthorised executables, scripts or libraries can run, enabling malware, privilege abuse and unauthorised access to systems and data.
Operational notes
Maintain and review the application allow list; test and deploy updates promptly. Verify enforcement blocks unapproved executables, scripts, installers and libraries, and monitor logs for blocked attempts.
Implementation tips
- IT team: Compile a list of approved applications that are necessary for organisational tasks. Work with department heads to determine which programs are essential for daily operations and ensure these are the only ones allowed to run.
- System owner: Implement application control software to manage which applications can be executed. Use the approved applications list to configure the software to block anything not listed.
- Management: Communicate to all staff the importance of using only approved software for their tasks. This can be done via email or a team meeting, highlighting the risks of unauthorised software.
- IT team: Regularly review and update the list of approved applications. Set a quarterly meeting with key stakeholders to ensure new software needs are considered and keep the list current.
- IT team: Train staff on recognising and reporting attempts to run unauthorised software. Offer workshops or online courses explaining the steps they should take if they receive suspicious software requests.
Audit / evidence tips
-
Aska copy of the approved applications list: Request the list of software and scripts that are currently approved for use
Goodlist will have software names, version numbers, and approval dates
-
Aska demonstration of the application control software: Request a live demonstration showing how the software blocks unauthorised applications
Gooddemonstration will show blocked attempts to run unapproved applications
-
Askresults of the latest review of approved applications: Request documentation of the last review meeting outcomes
Goodincludes a summary of reviewed applications and any changes made
-
Askto see staff training records on application control: Request evidence of completed training courses or sessions
-
Askexamples of user reports on unauthorised software attempts
Goodshows that staff are vigilant and reports are being addressed promptly
Cross-framework mappings
How ISM-1657 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling use of utility programs that can override system and application controls, effe... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (3) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.