Only privileged users can modify content in Trusted Locations
Ensure that only specific users can edit trusted macro locations to prevent malicious code.
Plain language
This control ensures that only certain trusted people can change sensitive macro settings in Microsoft Office. These settings are special locations where Office macros can run. If unqualified people change these settings, it could allow harmful code to be run unknowingly, which could compromise your entire system.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
Why it matters
If unauthorised users can modify Trusted Locations, malicious macros may execute without warning, compromising systems and data integrity.
Operational notes
Restrict Trusted Locations to privileged macro reviewers only; audit NTFS/share ACLs and monitor changes so non-privileged users cannot write content there.
Implementation tips
- IT team should identify who needs access to Trusted Locations by reviewing current user roles and responsibilities.
- System administrator should restrict write access to Trusted Locations to these identified privileged users using group policy settings.
- Security officer should train privileged users on securely checking macros for malicious code before placing in Trusted Locations.
- System administrator should regularly review and update the list of users with access to Trusted Locations to ensure it’s current.
- IT team should implement logging for changes to Trusted Locations to track who modified them and what changes were made.
- Security officer should establish a procedure for approving macro code to be placed in Trusted Locations that includes security checks.
Audit / evidence tips
-
AskWho is allowed to modify Trusted Locations in Microsoft Office?
-
GoodOnly those trained and authorised by management are listed, with documented responsibilities
-
AskHow do you ensure that macros in Trusted Locations are safe?
-
GoodThere is a step-by-step procedure requiring a security scan before a macro is approved for Trusted Locations
Cross-framework mappings
How E8-RM-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.18 | E8-RM-ML3.3 involves controlling who can modify content in trusted macro locations | |
| Annex A 8.2 | E8-RM-ML3.3 mandates restrictions on who can modify Microsoft Office Trusted Locations, specifically allowing only privileged users who v... | |
| Annex A 8.3 | E8-RM-ML3.3 restricts modification rights to Trusted Locations to authorised privileged users for macro-related content | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1392 | ISM-1392 requires restricting who can modify files/folders covered by application control path rules | |
| ISM-1890 | E8-RM-ML3.3 restricts Trusted Location modifications to privileged macro verification users to prevent unauthorised placement | |
| handshake Supports (2) expand_less | ||
| ISM-1671 | ISM-1671 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business requirement | |
| ISM-1674 | ISM-1674 requires that only macros from a sandbox, Trusted Location, or trusted publisher signature can execute | |
| link Related (1) expand_less | ||
| ISM-1487 | E8-RM-ML3.3 requires only privileged users who verify Microsoft Office macros to modify content within Trusted Locations | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.