Disable Microsoft Office macros for users without a business need
Ensure only users with a specific business need can run Microsoft Office macros.
Plain language
This control is about stopping unauthorised users from using Microsoft Office macros unless they have a clear business reason to do so. Macros can run harmful code if used by the wrong people, potentially leading to data theft or damage. By limiting who can use them, you're reducing the risk of a cyber attack on your organisation.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Why it matters
If users without a business need can run Office macros, malicious code may execute, leading to data compromise and operational disruption.
Operational notes
Maintain an approved list of users who need Office macros, review it regularly, and disable macros by default for all others.
Implementation tips
- The IT team should disable macros for all users by default. They can do this by adjusting the group policy settings across all company computers.
- System administrators should gather requests from users who claim a business need for macros. They should verify if the need is legitimate before enabling macro access.
- The security officer should maintain a list of users with macro access. This list should be regularly reviewed and updated in the Active Directory group.
- Regularly review and update who needs macro access—system administrators should remove macro permissions for users who no longer require it for their role.
Audit / evidence tips
-
AskAre macros disabled for users who do not have a business need?
-
GoodMacro settings are configured to disable all macros by default, with exceptions noted and documented
-
AskIs there documentation of the business requirements for enabled macro access?
-
GoodThere is clear documentation showing approvals for each user who has macro access, aligned with Active Directory permissions
Cross-framework mappings
How E8-RM-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | E8-RM-ML1.1 mandates a specific access rule: users without business need must not be able to run Office macros | |
| Annex A 5.18 | E8-RM-ML1.1 requires macros to be disabled for users who do not have a business need, effectively limiting execution rights | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1674 | ISM-1674 requires that only macros from a sandboxed environment, Trusted Location, or trusted publisher signature are allowed to execute | |
| ISM-1675 | ISM-1675 requires that macros signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View | |
| handshake Supports (1) expand_less | ||
| ISM-1489 | E8-RM-ML1.1 requires macros to be disabled for users without a business need | |
| link Related (1) expand_less | ||
| ISM-1671 | E8-RM-ML1.1 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business need | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.