Cyber Essentials
DashboardSign Out

Lesson 8.3 — Application allow listing: approved applications, code signing and blocking untrusted software

This lesson explains the application allow listing route within the Cyber Essentials Malware Protection control.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain what application allow listing is
  • identify where it is suitable
  • create or review an approved application list
  • understand the role of code signing
  • check whether users can install unsigned or invalidly signed applications
  • review exceptions and emergency changes

Why This Matters

It helps the learner understand how allow listing differs from anti-malware software, why approved applications must be controlled before deployment, why code signing matters, how unsigned or invalidly signed applications should be blocked, and what evidence is needed if the organisation relies on allow listing as its malware protection method.

The most common problems are:

  • confusing software inventory with allow listing;
  • claiming allow listing without technical enforcement;
  • approving applications after deployment instead of before;
  • failing to maintain a current approved list;

The Core Rule

Application allow listing is one of the accepted Cyber Essentials malware protection routes.

It works by allowing only approved applications to execute and blocking everything else.

What the CE Assessor Looks For

A strong position shows:

  • device groups using allow listing are clearly identified;
  • only approved applications can execute;
  • applications are actively approved before deployment;
  • a current approved application list exists;
  • applications are restricted by code signing;
  • unsigned applications are blocked;

Common Mistakes

  • confusing software inventory with allow listing;
  • claiming allow listing without technical enforcement;
  • approving applications after deployment instead of before;
  • failing to maintain a current approved list;
  • allowing users to install unsigned applications;
  • allowing invalidly signed applications;

Copy This

Keep this rule visible:

If the application is not approved, trusted and signed, it should not run on a device protected by allow listing.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is application allow listing?
  • [ ] How is allow listing different from anti-malware software?
  • [ ] What does Cyber Essentials expect where allow listing is used?
  • [ ] Why is a software inventory not the same as an allow list?
  • [ ] Why does code signing matter?

Your Action

Do this now — it takes 10–20 minutes.

If using allow-listing on any devices: document which applications are on the approved list and how the list is enforced. Add to Section MP.

Key Takeaway

If the application is not approved, trusted and signed, it should not run on a device protected by allow listing.

Your Workbook Activity

Complete: Application allow listing review and approved application record

Next Lesson

In the next lesson: Application sandboxing: how app store controls work and what to check for Option B

Up next

Application sandboxing

Use application sandboxing and platform controls appropriately on supported device types.