Restrict and Scan File Uploads for Security
Ensure only certain file types are accepted and scanned for viruses before being accessed, executed, or stored.
Plain language
This control is about making sure that when files are uploaded to your system, only certain types are allowed, and they must be scanned to ensure they're safe. It's important because harmful files could infect your system, leading to data loss or a security breach which could damage your business and reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Input HandlingOfficial control statement
File uploads or input are restricted to specific file types, with malicious content scanning occurring prior to file access, file execution or file storage.
Why it matters
Unrestricted file uploads can allow malicious files to be stored or executed, leading to malware infection, data loss, and service disruption.
Operational notes
Maintain a strict allow-list of permitted upload types and ensure anti-malware scanning runs before any file is stored, accessed or executed.
Implementation tips
- The IT team should create a list of acceptable file types for uploads. They can do this by consulting with the business manager to identify which file types are necessary for day-to-day operations.
- System owners need to implement a file scanning solution to check files for viruses before they're accessed. This can be done by integrating antivirus software that automatically scans each uploaded file.
- Business managers should establish a policy that educates employees on acceptable file types. They can organise short training sessions or create a simple guide to outline this information.
- The IT team should test the file upload process to ensure that only the specified file types are accepted. They can simulate uploads of different file types and verify that the system rejects disallowed ones.
- Security officers must ensure that scanned files are logged and monitored for any suspicious activity. They can set up an alert system that notifies them of any unusual activities related to file uploads.
Audit / evidence tips
-
Askthe file type restriction policy: Request the document detailing which file types are allowed for upload
Goodwill include a list approved by relevant authorities and dates of last updates
-
Askantivirus scan logs: Request recent logs from the antivirus software showing files scanned over a specific period
Goodlogs showing that allowed file types are scanned and any detected issues are resolved immediately
-
Askemployee training records: Request records showing staff have been trained on file upload policies
Goodincludes recent training sessions attended by all relevant staff
-
Asktest records of the file upload process: Request documentation or results of tests conducted to ensure only allowed file types are accepted
Goodrecords of successful tests that demonstrate only specified types are allowed
-
Askfile monitoring reports: Request reports that show monitoring of file uploads and any associated alerts
Goodincludes instances of alerts and actions taken to address any issues
Cross-framework mappings
How ISM-2059 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.26 | ISM-2059 requires organisations to restrict file types and conduct malware scanning | |
| Annex A 8.28 | ISM-2059 mandates file type restriction and scanning for malicious content | |
| Annex A 8.29 | ISM-2059 requires organisations to restrict uploaded/input file types and scan for malicious content before files are accessed, executed ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.