GRCWatch
Sign inStart free trial

CIS Control 2.5: Allowlist Authorized Software

Application allowlisting is a critical defense against unauthorized software execution and supply chain attacks. CIS Control 2.5 requires technical controls to ensure only approved applications run on your systems, with reassessment every two years or more frequently as threats evolve.

What this means

This control mandates deploying technical mechanisms—such as application allowlisting solutions—to restrict execution to pre-approved software only. Rather than blocking known bad applications, allowlisting takes a zero-trust approach: only explicitly authorized programs are permitted to run. Organizations must maintain an updated inventory of authorized software and regularly review it to remove deprecated tools and add necessary applications. The bi-annual reassessment ensures your allowlist stays aligned with business needs and emerging security risks.

How to comply

  1. 1.Inventory all authorized software across your organization and document business justification for each application.
  2. 2.Deploy application allowlisting controls on endpoints, servers, and critical infrastructure using native OS tools or third-party solutions.
  3. 3.Configure allowlisting policies to restrict execution at the application, file hash, and certificate level where possible.
  4. 4.Establish an approval workflow for new software requests before adding applications to the allowlist.
  5. 5.Schedule and document bi-annual reviews of the authorized software inventory, removing obsolete tools and validating continued business need.
  6. 6.Monitor and log allowlist violations to detect unauthorized execution attempts and adjust policies accordingly.
  7. 7.Test allowlisting enforcement in stages to minimize business disruption during implementation.

Evidence auditors look for

  • Documented inventory of authorized software with business justification and approval dates.
  • Application allowlisting policy documentation including technical controls, exception procedures, and review schedule.
  • Configuration screenshots from allowlisting tools (e.g., Windows AppLocker, macOS notarization, EDR platforms).
  • Logs of allowlist violations and remediation actions taken.
  • Evidence of bi-annual reassessment: updated inventory, removed applications, approval records for new additions.
  • Change management records for allowlist updates and policy modifications.
  • Training records for security teams responsible for maintaining the allowlist.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates your bi-annual allowlist reassessment workflow, tracks all software approvals and changes, and generates audit-ready evidence for CIS 2.5 compliance—eliminating manual spreadsheets and documentation gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 2.1 — Inventory and Control of Enterprise AssetsCIS 2.3 — Address Unauthorized SoftwareCIS 6.2 — Establish and Maintain a Data Security BaselineCIS 8.5 — Manage Allowlists and Denylists