PDF software security settings cannot be changed by users
Prevent users from changing PDF software security settings to enhance safety.
Plain language
This control makes sure that people in the organisation can't change any security settings in the software used to read PDF documents. This is important because if someone could change these settings, it might make it easier for hackers to sneak in harmful software through PDFs.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
PDF software security settings cannot be changed by users.
Why it matters
If users can change PDF reader security settings, protections may be lowered, enabling malicious PDFs to run code or exfiltrate data.
Operational notes
Enforce and lock PDF reader security preferences via central policy; disable risky features (e.g., JavaScript) and alert on config drift.
Implementation tips
- The IT team should set PDF software configuration policies in place. They can do this using group policies or equivalent settings to lock down PDF reader settings, ensuring users can't alter them.
- System administrators should install PDF software updates regularly. Keep the software up to date using automated tools to patch any security risks.
- Security officers should perform regular checks to confirm PDF security settings are intact. Use security tools that can scan these settings and alert if they have been changed.
- IT support should educate staff on safe handling of PDF files. Conduct training sessions to help users understand why certain settings are locked and the risks associated with opening unknown PDFs.
Audit / evidence tips
-
AskAre PDF security settings restricted from user modification?
-
GoodPolicies should show that settings are locked (often greyed out) for users, ensuring that only authorised personnel can change them
-
AskHow are updates to the PDF software managed?
-
GoodThe organisation should have a documented process for regular, automated updates to PDF software
Cross-framework mappings
How E8-AH-ML2.10 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1489 | E8-AH-ML2.10 requires preventing users from changing PDF software security settings | |
| ISM-1585 | E8-AH-ML2.10 requires locking PDF software security settings so users cannot alter them | |
| ISM-1748 | E8-AH-ML2.10 requires locking down PDF software security settings so users cannot change them | |
| ISM-1823 | E8-AH-ML2.10 requires that PDF software security settings cannot be changed by users | |
| handshake Supports (3) expand_less | ||
| ISM-1406 | ISM-1406 requires organisations to use SOEs for workstations and servers to ensure consistent and secure configurations | |
| ISM-1670 | ISM-1670 requires the specific control that PDF applications cannot create child processes | |
| ISM-1915 | ISM-1915 ensures that approved configurations for user applications are sustained | |
| link Related (3) expand_less | ||
| ISM-1824 | E8-AH-ML2.10 requires that PDF software security settings are enforced such that users cannot change them | |
| ISM-1825 | ISM-1825 requires that users cannot change security product security settings, preventing weakening of security controls | |
| ISM-1858 | ISM-1858 requires organisations to harden IT equipment using ASD and vendor guidance, applying the most restrictive requirements when gui... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.