Implement Application Control Exclusions for System Areas
Application control is set up to avoid certain system areas like user profiles and temporary folders.
Plain language
This control means you need to set up your software so it doesn't check certain parts of your computer where your personal settings and temporary files are stored. It matters because if the software goes snooping in these areas, it could cause annoying problems like slowing down your computer or interfering with other programs. By keeping these areas off limits, you ensure your system runs smoothly and other important areas are securely monitored.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
Why it matters
Without this control, application control may be bypassed by running code from user profiles or OS/browser/email temporary folders, increasing malware execution risk.
Operational notes
Apply application control to system and program locations; only exclude user profiles and OS/browser/email client temporary folders, and review exclusions regularly.
Implementation tips
- The IT team should identify which parts of the computer need to be excluded from software checking. They can do this by making a list of folders and areas like user profiles and temporary folders that store short-term data.
- The IT manager should communicate the importance of these exclusions to staff involved in system upkeep. Conduct a briefing session explaining why these folders are excluded and how this keeps other systems stable and performing properly.
- System administrators need to configure software settings to implement these exclusions. They can use system tools or configuration settings to specify which areas are to be left unchecked by the application control.
- Technical staff should test the configuration to ensure the excluded areas are actually being bypassed by the control software. They can create trial scenarios to see if the settings work as intended without affecting system performance.
- The compliance officer should document this setup process in the organisation's security policy. This can be done by writing a policy section that explains which areas are excluded and why, helping keep records clear for audits.
Audit / evidence tips
- AskThe system configuration report: Request the document or screenshot that shows the list of excluded folders. Look to see the specified areas like user profiles and temporary folders are clearly listed GoodThe report shows user profiles and temporary folders as excluded areas, and the document is dated and authenticated
- AskA demonstration of the system settings: Request a walk-through of the actual settings in the control software GoodLive demonstration shows the control software with areas ticked off the monitoring list and settings saved
- AskThe policy document: Request the section of the security policy that mentions application control exclusions. Look to check that it includes details on why exclusions are necessary GoodPolicy document is detailed, references relevant folders, and includes management sign-off
- AskLogs of control activities pre- and post-exclusion: Request logs that show how the application control behaved before and after implementing exclusions. Look to verify fewer false positives in performance-sensitive areas GoodLogs show a reduction in unnecessary control checks in targeted folders after the exclusions were applied
- AskAbout training or briefing records: Request evidence of staff training sessions regarding the exclusion policy GoodClear evidence of a training session with attendee names and session notes detailing the exclusion process
Cross-framework mappings
How ISM-1871 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | ISM-1871 requires a specific secure configuration for application control coverage, excluding user profiles and temporary folders to redu... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML1.2 | E8-AC-ML1.2 requires application control to be applied to user profiles and temporary folders used by operating systems, web browsers and... | |
| E8-AC-ML3.1 | E8-AC-ML3.1 requires application control to be implemented on non-internet-facing servers so only approved software can execute | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML2.1 | ISM-1871 defines where application control should and should not be applied, specifically excluding user profiles and temporary folders | |
| link Related (1) expand_less | ||
| E8-AC-ML2.2 | ISM-1871 requires application control to be applied to all locations except user profiles and temporary folders used by operating systems... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.