Ensure Operating Systems Have Approved Configurations
Organisations must create and maintain approved configurations for all operating systems.
Plain language
This control is all about making sure your computers and servers follow a set of approved rules about how they should be set up. This is important because a computer that isn't set up right can act like an unlocked door, letting in viruses or hackers who can steal data and cause chaos in your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Approved configurations for operating systems are developed, implemented and maintained.
Why it matters
Without approved OS configurations, insecure defaults and configuration drift increase vulnerability exposure, enabling compromise, data breaches and outages.
Operational notes
Define approved OS hardening baselines, deploy via configuration management, and regularly scan for drift; remediate deviations or document exceptions via change control.
Implementation tips
- System owners should work with the IT team to create a list of approved settings for each type of computer in use. This involves deciding on the best security settings that protect the system without interrupting daily work, and documenting these settings clearly.
- The IT team should apply these approved settings to all existing computers and servers. This can be done by setting up each device according to the list of configurations, using tools or scripts where possible to automate the process.
- Managers should ensure that new computers are set up according to the approved configurations before they are used by staff. They can do this by running a checklist provided by the IT team that confirms each device matches the approved settings.
- The IT team should regularly check that all devices still match the approved configurations. They can schedule timing for reviews and use tools that automatically compare each device's settings against the approved list.
- System owners and managers should review and update the approved configurations periodically or after any major software updates. This ensures that the settings are still effective against new threats and compatible with any updates or changes in software.
Audit / evidence tips
- AskThe approved configuration document: Request the document detailing the specific settings for each type of device GoodMeans the document is current, comprehensive, and clearly approved
- AskA recent report showing how the current device setups match the approved configurations GoodWill show most, if not all, devices in full compliance
- GoodIncludes clear steps that ensure conformity from the start
- AskRecords of periodic checks: Request evidence of routine audits of existing device settings GoodShows regular checks with findings documented and acted upon
- AskRecords of any changes to the approved configurations GoodIncludes a rationale for updates with dates and responsible person details
Cross-framework mappings
How ISM-1914 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (2) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires obtaining vulnerability information, evaluating exposure and implementing measures including secure configuration of... | |
| Annex A 8.9 | Annex A 8.9 requires secure configurations to be established and managed across IT systems | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML3.2 | E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 on Windows systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.