Ensure User Application Configurations are Approved
Make sure that all user applications follow approved setup guidelines to keep systems secure.
Plain language
This control means making sure every application your team uses is set up in a secure way that's been officially approved. It's important because if apps are left unsecured, hackers might find ways to sneak into your systems, steal data, or damage your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Approved configurations for user applications are developed, implemented and maintained.
Why it matters
Unapproved user application configurations can weaken security settings, enabling exploitation, data compromise and disruption to business operations.
Operational notes
Maintain approved application baselines; routinely compare deployed settings to the baseline, and require security approval and change records for any deviations.
Implementation tips
- The IT team should create a list of applications used within the organisation. They can start by surveying employees or checking software purchase records to ensure all applications are accounted for.
- Once you have the application list, the IT team should review and establish secure setup guidelines for each one. This can involve consulting with software vendors or following the Australian Cyber Security Centre (ACSC) recommendations on application hardening.
- Managers should ensure that any software they plan to introduce is vetted by the IT team against these guidelines before it’s used. They can have a quick approval process in place where the IT team checks the setup against their checklist.
- The IT team should periodically review applications to ensure they remain securely configured. This can be done by scheduling quarterly checks and documenting the outcomes.
- Appoint a system owner to take responsibility for each critical application. They should maintain records of configurations and handle any changes or updates, ensuring compliance with approved setups.
Audit / evidence tips
- AskThe list of all applications currently in use GoodList should match software purchase records and employee reports
- AskRecords of approvals for each application used
- GoodHas timely updates with corrective actions when necessary
- AskTraining records or meeting notes showing communication to users about these configurations GoodTraining record ensures all users know how to maintain application security
Cross-framework mappings
How ISM-1915 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1915 requires approved configurations for user applications to be developed, implemented, and maintained | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | ISM-1915 mandates the use of approved configurations for user applications and their maintenance | |
| link Related (1) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires organisations to manage security configuration by identifying technical vulnerabilities, evaluating exposure and imp... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| handshake Supports (6) expand_less | ||
| extension Depends on (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.