Ensure PDF software is securely configured using guidance.
Secure PDF applications based on guidance to protect against hacks.
Plain language
This control is about making sure your PDF software, like Adobe Reader, is set up in a way that makes it hard for hackers to break in. If you don't do this, a cybercriminal could sneak into your computer just by opening a dodgy PDF file. Securing your PDF software helps protect important information and keeps your computer safe from attacks.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Weak PDF hardening (e.g., JavaScript, embedded files, auto-launch) can enable malicious PDFs to run code, leading to compromise and data exposure.
Operational notes
Configure PDF readers per ASD and vendor hardening (use most restrictive). Disable JavaScript/auto-actions, block embedded files, and verify settings after updates.
Implementation tips
- IT team: Review all PDF software used in the organisation to ensure they support security settings. Check compatibility with ASD and vendor guidance to apply necessary configurations.
- System administrator: Harden PDF software by disabling unnecessary features like JavaScript and multimedia content using guidance from ASD and the software vendor.
- Security officer: Ensure all staff are using the most restrictive security settings in PDF software by enforcing these settings through a centralised management tool, like group policy.
- IT team: Prevent users from changing security settings by locking configurations via group policy or the management console that comes with the PDF software.
- System administrator: Regularly update PDF software to the latest version to patch any security vulnerabilities as per the vendor's instructions.
Audit / evidence tips
- AskWhat security settings are applied to the PDF software?
- GoodThe PDF software is configured according to the most restrictive ASD and vendor guidance, with all potential security features enabled
- AskCan users modify the PDF software security settings?
- GoodSecurity settings are locked down and cannot be changed by end-users
- AskHow often is the PDF software updated?
- GoodThe PDF software is updated promptly whenever a new version or patch is released, reducing the risk of exploit
Cross-framework mappings
How E8-AH-ML2.9 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | E8-AH-ML2.9 requires a secure configuration (hardening) for PDF software based on ASD and vendor guidance | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0289 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in an evaluated configuration and in accordan... | |
| ISM-1470 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor hardening guidance, applying the most restrictive guidance where th... | |
| ISM-1824 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor guidance, ensuring secure baseline settings are applied | |
| ISM-1859 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor guidance, prioritising the most restrictive settings | |
| handshake Supports (4) expand_less | ||
| ISM-1406 | ISM-1406 requires organisations to use SOEs for workstations and servers to provide a consistent, controlled security baseline | |
| ISM-1670 | E8-AH-ML2.9 mandates hardening of PDF software using ASD and vendor guidance to reduce exploitation risk | |
| ISM-1798 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking prece... | |
| ISM-1915 | ISM-1915 necessitates approved configurations for user applications, allowing for a maintained baseline | |
| link Related (3) expand_less | ||
| ISM-1246 | ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive requirement w... | |
| ISM-1858 | ISM-1858 requires IT equipment to be hardened using ASD and vendor guidance, applying the most restrictive requirements where guidance co... | |
| ISM-1860 | ISM-1860 requires PDF applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive guidance where c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.