Office productivity suites are hardened using ASD and vendor guidance
Ensure office suites follow the strictest security guidelines to reduce risks.
Plain language
This control is about making sure that office software like Microsoft Word and Excel are set up to be secure. It's important because if these programs aren't properly protected, they could be a way for hackers to break into your computer and steal information or cause damage.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML2
Official control statement
Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Poorly hardened office suites can enable macros and add-ins to be exploited, leading to data breaches and compromised systems.
Operational notes
Regularly verify ASD and vendor hardening baselines for Office apps (macros, add-ins, Protected View) are enforced; apply the most restrictive setting if guidance conflicts.
Implementation tips
- The IT team should review the vendor's security guidelines and the Australian Signals Directorate's recommendations for office software to ensure all settings are correctly applied.
- System administrators need to configure office software settings using group policies so users can't change them later. This can be done through a centralised management tool.
- Security officers should conduct regular checks to make sure the most restrictive security settings are still in place and that no new vulnerabilities have been introduced with updates.
- System administrators should regularly update office software to the latest version, as updates often include security patches for known vulnerabilities.
Audit / evidence tips
- AskHow are security settings for office software determined?
- GoodThe settings should align with the most restrictive guidelines available from the ASD and the software vendor
- AskHow are users prevented from altering security settings?
- GoodGroup policy settings should prevent users from changing security configurations, and these settings should be visibly effective in the software
Cross-framework mappings
How E8-AH-ML2.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | E8-AH-ML2.6 requires implementing hardened configurations for office productivity suites based on ASD and vendor guidance | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1915 | E8-AH-ML2.6 requires office productivity suites to be hardened using ASD and vendor hardening guidance, applying the most restrictive set... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0289 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| handshake Supports (2) expand_less | ||
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be installed and configured in an evaluated configuration in accordance with ASD guidance | |
| ISM-1798 | E8-AH-ML2.6 requires organisations to harden office productivity suites using ASD and vendor hardening guidance, with the most restrictiv... | |
| link Related (5) expand_less | ||
| ISM-1235 | E8-AH-ML2.6 requires hardening office productivity suites using ASD and vendor hardening guidance to reduce exposure to common attack tec... | |
| ISM-1246 | ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w... | |
| ISM-1668 | E8-AH-ML2.6 requires organisations to harden office productivity suites using ASD and vendor hardening guidance, applying the most restri... | |
| ISM-1858 | ISM-1858 requires IT equipment to be hardened using ASD and vendor hardening guidance, defaulting to the most restrictive guidance when c... | |
| ISM-1859 | ISM-1859 requires office productivity suites to be hardened using ASD and vendor hardening guidance, applying the most restrictive settin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.