Restrict Execution of Drivers via Application Control
Ensures only approved drivers are run on systems, enhancing security.
Plain language
This control ensures that only the drivers officially approved by your organisation are allowed to run on your computers and devices. This matters because unapproved or malicious drivers can be used by attackers to gain control of your systems, potentially causing data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control restricts the execution of drivers to an organisation-approved set.
Why it matters
Unapproved drivers can introduce kernel-level vulnerabilities, enabling privilege escalation or malware persistence, causing breaches and outages.
Operational notes
Maintain an approved driver allow-list; review new driver releases, and routinely audit endpoints so only allow-listed/signed drivers load at boot/runtime.
Implementation tips
- IT team should establish a list of approved drivers: Create an official list of drivers that are allowed to run on all organisation-owned devices, ensuring they are safe and necessary for operations. The IT team should work with software vendors and review the security of each driver before adding it to the list.
- System administrators should configure application control: Use the system's built-in security settings to limit driver execution to only those on the approved list. This involves adjusting the operating system’s policy settings to block any drivers not included in the approved set.
- Procurement team should involve IT in driver approval: Whenever acquiring new hardware or software that requires drivers, have the procurement team collaborate with IT to vet the drivers. IT should check whether new drivers are secure and compatible with the current systems before allowing their use.
- IT team should train staff: Conduct training sessions for all staff to ensure they understand the importance of using approved drivers and how to request a driver to be added to the approved list. Use straightforward language and scenarios relevant to their everyday tasks.
- System administrators should regularly review the approved drivers list: Schedule routine checks to ensure that the list of approved drivers is current and remove any that are no longer needed or pose a security risk. This task can be done quarterly or whenever major updates occur.
Audit / evidence tips
-
Askthe current list of approved drivers: Request the document or database that contains all drivers currently authorised by the organisation
Gooda well-organised list with recent entries and rationale for approval
-
Askdemonstration of application control settings: Request a live or recorded demonstration of the application control settings on a representative system
Goodsystems actually blocking unapproved drivers in practice
-
Askstaff training records: Request evidence that staff have been trained on the importance of using approved drivers and the procedure for driver approval
Goodclear records of recent training sessions with feedback from participants
-
Asklogs of driver execution attempts: Request log files from systems that show attempts to run drivers and whether they were approved or blocked
Goodlogs showing blocked attempts, indicating effective enforcement
-
Askincident reports related to driver issues: Request any incidents reports that involved driver-related security issues
Goodreports that describe incidents and demonstrate lessons learned and mitigation steps
Cross-framework mappings
How ISM-1658 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires tight restriction of utilities capable of overriding system and application controls, which includes mechanisms tha... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (3) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.