Check Microsoft Office macros for malicious code before signing or trusting
Ensure Office macros are safe from malicious code before trusting or signing.
Plain language
This control means making sure that any macros (small programs) in Microsoft Office files are not harmful before you decide to trust them or give them special permissions. It's important because malicious macros can act like hidden doors for hackers to enter your system, potentially causing serious damage and data breaches.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML3
Official control statement
Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
Why it matters
Unchecked Office macros can contain malicious code that runs when trusted, enabling malware execution and potential data compromise.
Operational notes
Review and scan Office macro code before digital signing or adding to Trusted Locations; tightly control who can sign and audit signed macros.
Implementation tips
- System Administrator should identify all users who have a business need to use macros and ensure those users are accounted for in an approved list.
- IT Team should configure security settings to automatically check and block any macros unless they are confirmed safe through antivirus scanning and have proper digital signatures.
- Security Officer should regularly update and review the Trusted Publisher list in Microsoft Office to ensure only trusted sources are allowed to execute macros.
- System Administrator should create a process for checking every macro that needs to be used with detailed steps on how to verify it does not contain malicious code before it gets any special permissions.
Audit / evidence tips
- AskHow do you ensure only trusted macros are used in the organisation?
- GoodThe organisation uses antivirus scanning and trusted publisher lists, and regularly checks this list for updates
- AskAre there specific records for users with authorisation to use macros?
- GoodThere is a documented list of users with business justifications and permissions updated regularly
- AskHow is the digital signature of macros verified?
- GoodThere is a detailed procedure to verify macros by digital signatures before being deemed trustworthy
Cross-framework mappings
How E8-RM-ML3.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1796 | ISM-1796 requires executable files to be digitally signed using a certificate with a verifiable chain of trust as part of software develo... | |
| handshake Supports (7) expand_less | ||
| ISM-1487 | E8-RM-ML3.2 requires macros to be checked for malicious code before they are signed or placed in Trusted Locations | |
| ISM-1672 | E8-RM-ML3.2 requires macros to be checked to ensure they are free of malicious code before being signed or trusted via Trusted Locations | |
| ISM-1674 | ISM-1674 requires that only macros from sandboxed environments, Trusted Locations, or signed by a trusted publisher are allowed to execute | |
| ISM-1675 | ISM-1675 requires blocking enablement of macros signed by an untrusted publisher via Office prompts | |
| ISM-1891 | E8-RM-ML3.2 requires that macros are checked for malicious code before being trusted via signing or Trusted Locations | |
| ISM-1969 | ISM-1969 requires that malicious code is treated before it is stored or communicated so it cannot be accidentally executed | |
| ISM-2050 | E8-RM-ML3.2 requires macros to be checked for malicious code before being digitally signed or placed in Trusted Locations | |
| link Related (2) expand_less | ||
| ISM-1890 | E8-RM-ML3.2 requires Microsoft Office macros to be checked to ensure they are free of malicious code before they are digitally signed or ... | |
| ISM-2026 | ISM-2026 requires all software artefacts (including compiled code, third-party libraries and components) to be scanned for malicious code... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.