Implement Application Control for User Profiles and Folders
Ensure user and temporary folders for systems, browsers, and emails are secured via application control.
Plain language
This control is about making sure that only approved programs can access the parts of your computer where temporary files and user data are stored. Why is this important? If unauthorised programs get into these folders, they can easily cause harm by stealing information or spreading malware.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.
Why it matters
Unauthorised access to user profiles and temporary folders can enable malware execution and data theft, rapidly compromising sensitive business operations.
Operational notes
Maintain application control rules for user profiles and temporary folders; allow only approved apps, and review logs for unauthorised access attempts.
Implementation tips
- IT team should review all current applications on user devices to make sure they are approved and necessary. They can do this by creating a list of all installed software and cross-checking it against a list of approved applications.
- System administrators should set up application control tools that restrict which programs can run in users’ temporary folders. They can configure these tools to allow only applications from a pre-approved list to execute.
- IT staff should work with department managers to inform employees about the importance of not downloading unauthorised software. They should create simple guidelines or a short training session to explain the risks and safe practices.
- The IT team should conduct a quarterly check of user profiles and folders to ensure compliance with application controls. They can use automated tools to scan for non-approved software and take corrective action if necessary.
- Cyber security officers should work with leadership to reinforce these controls as part of a broader application control policy. They should ensure policies are documented, communicated, and accessible for all staff to understand the rules and reasons.
Audit / evidence tips
- AskThe application control policy document: Request the document that outlines the applications allowed and restricted within user profiles and temporary folders GoodIs a detailed, up-to-date policy with input from IT and leadership
- AskRecords of application reviews: Request the logs or reports showing the review of applications installed on systems GoodIncludes comprehensive and dated logs showing approvals and exceptions
- AskTo see the configuration settings of the application control tool: Request a demonstration of how the tool restricts access to user profiles and temporary folders GoodIs settings that clearly enforce the control’s requirements
- AskTraining records: Request proof of staff training on the risks of unauthorised software and application control policies GoodShows that regular and mandatory training sessions were provided
- AskRecent security audit or incident reports: Request documents that cover any findings related to application control violations in recent audits or security incidents GoodIncludes detailed reports with resolved incidents and improved controls
Cross-framework mappings
How ISM-1870 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| E8-AC-ML1.3 | ISM-1870 requires application control coverage specifically for user profiles and temporary folders used by operating systems, web browse... | |
| link Related (1) expand_less | ||
| E8-AC-ML1.2 | ISM-1870 requires application control to be applied to user profiles and temporary folders used by operating systems, web browsers and em... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.