Ensure Server Application Configurations Are Approved
Organisations should create and maintain approved settings for server software to ensure security.
Plain language
This control means that organisations should develop and stick to a set of approved settings for their server software to keep things secure. If this isn't done, servers may become vulnerable to attacks, which could result in data breaches, loss of customer trust, or financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Approved configurations for server applications are developed, implemented and maintained.
Why it matters
Without approved server application configurations, insecure settings can be introduced, enabling exploitation and causing data breaches and loss of trust.
Operational notes
Review and update approved server application configuration baselines regularly; enforce change control to prevent unauthorised configuration changes.
Implementation tips
- System owners should identify and document the necessary software configurations that must be approved before being applied to servers. They can do this by consulting with IT specialists to determine security needs and creating a standard checklist of configurations.
- The IT team should apply only those configurations that have been formally approved. This means following a documented process where all changes must be reviewed and signed off by a responsible party before implementation.
- Managers should conduct regular training sessions to ensure that staff understand why approved configurations are crucial. They can use real-world examples of security incidents due to improper configurations to highlight the importance.
- IT teams should schedule regular reviews of the configuration settings to ensure they remain up-to-date and secure. This involves checking current configurations against the approved list and making updates as necessary.
- System owners should create a simple process for updating the approved configurations. This process should include gathering input from key stakeholders and documenting any changes made to help maintain clarity and consistency.
Audit / evidence tips
-
Askthe approved configuration standards document: Request the file that outlines all approved server settings
GoodStandards are detailed, dated, and approved by a responsible authority
-
Askto see the change approval record: Request evidence of approved changes for server configurations
GoodAll changes have approval records and are consistent with the standard
-
Asktraining session records: Request logs or records of training sessions focused on server configurations
GoodRegular sessions are conducted with comprehensive coverage of relevant topics
-
Askthe procedure document for reviewing configurations: Request the document detailing how configuration reviews are conducted
GoodProcedure is clear, scheduled, and responsibilities are well-defined
-
Askrecent review reports: Request recent reports or records from configuration reviews
GoodReports are thorough, with documented follow-up actions for improvements
Cross-framework mappings
How ISM-1916 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | Annex A 8.19 requires organisations to implement secure procedures and measures to control software installation on operational systems | |
| link Related (2) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires managing security configuration as part of reducing exposure to technical vulnerabilities | |
| Annex A 8.9 | Annex A 8.9 requires secure configurations to be established, documented, implemented, monitored and reviewed across IT assets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.