Constrained Language Mode is a restriction level in PowerShell that limits usage to basic commands and data types. Advanced features such as .NET calls, COM objects, and custom types are blocked.
In an ISMS, Constrained Language Mode addresses the requirements of ISO 27001 Annex A controls A.8.19 (Software Installation) and A.8.1 (User Endpoint Devices). PowerShell is a commonly exploited tool in attacks (fileless malware, post-exploitation) because it offers powerful system access by default. Constrained Language Mode significantly reduces this attack surface. It is typically enforced through Windows Defender Application Control (WDAC) or AppLocker. Administrators can be given a separate PowerShell profile with full access.