Enable Security Features for System Protection
Ensure essential security features are active to protect the system during startup.
Plain language
This control is about activating security features on your computer systems before anything else starts up, to keep them safe and secure every time you turn them on. If these protections are not active, your system could be vulnerable to viruses or tampering before your usual defences kick in, putting your data and operations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.
Why it matters
If ELAM, Secure Boot, Trusted Boot and Measured Boot are not enabled, boot-time malware or rootkits can tamper with startup, bypassing defences and risking compromise.
Operational notes
Periodically confirm ELAM, Secure Boot, Trusted Boot and Measured Boot are enabled in UEFI/OS, and review boot attestation or event logs for unexpected boot changes.
Implementation tips
- IT team should enable Secure Boot: Ensure this feature is turned on in the system's BIOS settings. It allows the computer to verify that it only loads software that is trusted by the manufacturer.
- IT team should activate Early Launch Antimalware: This involves configuring the system so that antivirus software starts before any other program. Check the system settings to ensure the antivirus program is included in the startup sequence.
- IT team should set up Trusted Boot: This ensures every component of the operating system loads correctly and is verified by a known source. Use built-in system tools to verify and configure this setting.
- IT team should implement Measured Boot: This records the boot sequence for audit purposes, creating a log to show what was loaded. Confirm this feature is enabled in the system management settings to provide a detailed log post-startup.
- System owner should regularly review these settings: Schedule regular check-ins with the IT team to ensure all these features are working as intended and up to date. This can help catch and address new vulnerabilities early.
Audit / evidence tips
-
Askthe system BIOS configuration report: Request documentation showing Secure Boot is enabled
Gooda screenshot or report showing Secure Boot is active
-
Askto see the antivirus startup configuration: Request a demonstration or policy document showing Early Launch Antimalware is enabled
Goodproof that antivirus software loads first before anything else
-
Askto review the system event log: Request the log file that records Trusted Boot activities
Goodconsistent log entries showing trusted verification of each component
-
Askthe Measured Boot report: Request access to boot sequence logs that show activity during startup
Gooda detailed log showing the sequence of approved activities
-
Askrecent system audits or reports: Request any internal or external audits that examine these boot security settings
Gooda report with minimal or no discrepancies and dates of the last checks
Cross-framework mappings
How ISM-1745 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.7 | ISM-1745 requires boot-time security controls including Early Launch Antimalware and secure/trusted/measured boot to reduce the chance of... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1745 requires enabling defined security features (ELAM, Secure Boot, Trusted Boot and Measured Boot) to harden systems at startup | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML3.4 | E8-RA-ML3.4 requires memory integrity functionality to be enabled to reduce the likelihood of successful memory exploitation | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.6 | E8-RA-ML3.6 requires enabling Credential Guard to isolate and protect stored credentials on Windows systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.