Home Compliance & Certification Application Control List Guide

Application Control List Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact proves your company has rules about what software and file types are allowed (and which are banned). Cyber Essentials requires this because unmanaged or dodgy apps are a common way malware sneaks in. A written Application Control List is your “spellbook of allowed tools” — helping staff know what’s safe, and showing auditors you’ve locked the gates.

2. What You Will Submit

You will need:

  • Your Application Control List document or template (Word, PDF, or spreadsheet).

  • It should clearly state:

    • The objective (why this policy exists).

    • Scope (who it applies to — employees, contractors, systems).

    • How authorised software is managed (e.g. via IT, MDM, or endpoint tools).

    • Which software and file types are prohibited (e.g. torrents, pirated software, .exe attachments, password-protected zips).

    • Version history showing reviews/updates.

3. How to Collect / Obtain / Generate This Evidence

Using StrongKeep's Policy Template

  • If you already using StrongKeep's application control policy, edit it as required and export it to PDF.

  • If you’re starting fresh:

    1. Open the provided Application Control List Template.

    2. Fill in your company name, version history, and review date.

    3. List approved/authorised software (or state “all not-prohibited software is allowed”).

    4. List prohibited software and file types — include common risky items (torrents, pirated apps, third-party app stores, executable attachments).

    5. Save the document and circulate to staff.

Using Mobile Device Management Software

If you are using a Mobile or Endpoint Device Management software to standardise controls and configuration across your organisation, you can implement an application control policy via that tool.

Microsoft Intune (Endpoint Manager)

  1. Log in to Microsoft Endpoint Manager admin center.

  2. Go to Apps → App protection policies.

  3. Open the relevant policy → Screenshot the section showing restricted apps or allowed apps.

Google Endpoint Management:

  1. Open Google Admin Console → Devices → Settings → Apps & Extensions.

  2. Select the organisational unit.

  3. Screenshot the policies showing which apps are allowed or blocked.

4. Evidence Format

  • Accepted file types: PNG, JPG, DOCX, PDF, XLSX.

  • Suggested naming format:
    YourCompanyName_ApplicationControlList_YYYY-MM-DD.pdf

5. What “Good” Looks Like

  • Document is clear and specific — not vague statements like “don’t install bad software.”

  • Includes both authorised and prohibited categories.

  • Version and review dates are present — shows it’s maintained, not abandoned.

  • Covers both software and attachments/file types.

Why this matters: auditors want to see not just that you thought about risky apps, but that you’ve formally documented and communicated it.

6. Tips

  • Keep the prohibited list practical — too many entries makes it unreadable.

  • Update this document at least annually or when new risks arise.

  • Pair it with your Endpoint/MDM settings if you use them — consistency matters.