Office productivity suite settings are immutable by users
Ensure users cannot change security settings in office applications.
Plain language
This control is about making sure that people in the organisation can't change security settings in software like Microsoft Office. This is important because if security settings are altered, it could make the software more vulnerable to attacks, like viruses or hackers trying to steal information.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Office productivity suite security settings cannot be changed by users.
Why it matters
Allowing users to change Office suite settings can disable protections like macro controls, increasing malware infection and data breach risk.
Operational notes
Enforce Office security settings via GPO/Intune and routinely audit policy drift so any user-attempted changes are blocked or reverted.
Implementation tips
- IT team should identify all office productivity software used within the organisation; check for Microsoft Office, Google Workspace, and others.
- System administrator needs to configure security settings in office applications; use tools provided by the software vendor, like Group Policy for Microsoft Office, to lock these settings.
- Security officer should communicate these changes to staff; explain that certain settings will be greyed out or inaccessible to protect data.
- IT team must regularly update the restrictions based on software updates; coordinate with the security officer to ensure any changes in vendor guidance are applied promptly.
Audit / evidence tips
- AskHow has the organisation ensured that users cannot change office productivity suite security settings?
- GoodSecurity settings for office productivity suites are configured to be immutable by users, with specific policies in place and confirmation of regular auditing
Cross-framework mappings
How E8-AH-ML2.7 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-1489 | E8-AH-ML2.7 requires that office productivity suite security settings cannot be changed by users | |
| ISM-1824 | ISM-1824 requires that PDF application security settings cannot be changed by users | |
| handshake Supports (4) expand_less | ||
| ISM-1536 | ISM-1536 requires a specific Microsoft Office security configuration: blocking activation of OLE packages | |
| ISM-1542 | E8-AH-ML2.7 requires that office productivity suite security settings cannot be changed by users | |
| ISM-1673 | E8-AH-ML2.7 requires that office productivity suite security settings cannot be changed by users | |
| ISM-1915 | ISM-1915 requires maintenance of approved configurations across applications | |
| link Related (4) expand_less | ||
| ISM-1823 | E8-AH-ML2.7 requires that office productivity suite security settings are immutable by users | |
| ISM-1825 | ISM-1825 requires that security product security settings cannot be changed by users, ensuring protective controls remain enforced | |
| ISM-1858 | ISM-1858 requires IT equipment to be hardened using ASD and vendor hardening guidance, taking the most restrictive guidance when conflict... | |
| ISM-1859 | ISM-1859 requires office productivity suites to be hardened using ASD and vendor guidance, choosing the most restrictive configuration wh... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.