Validate list of trusted publishers in Microsoft Office annually
Regularly check and confirm trusted publishers in Microsoft Office to prevent unauthorized macro use.
Plain language
This control is about checking the list of trusted publishers in Microsoft Office every year. It's important because if you don't, someone might sneak in malicious macros that can harm your computer or steal your information.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
Why it matters
If trusted publishers are not revalidated, malicious Office macros may run, causing data breaches and financial loss.
Operational notes
Review Office trusted publishers at least annually; remove stale certificates and confirm publisher legitimacy with vendors.
Implementation tips
- The IT team should create a list of all current trusted publishers in Microsoft Office by accessing the Trust Center settings in Office applications.
- The system administrator should schedule an annual review of the trusted publishers' list to ensure only authorised publishers are included.
- The security officer should cross-check the list against known trusted and approved publishers within your organisation or industry standards to confirm validity.
- The IT team should remove any publishers that are no longer trusted or necessary by accessing the Trust Center and editing the list accordingly.
- The policy officer should document the review process and any changes made in a formal report to maintain records for compliance purposes.
Audit / evidence tips
-
AskCan you show me how often the list of trusted publishers in Microsoft Office is reviewed?
-
GoodThere is a documented schedule showing an annual review with evidence of who performed it and when
-
AskHow does the organisation determine which publishers remain trusted?
-
GoodThere is a clear guideline approved by the security team on how to evaluate trusted publishers
Cross-framework mappings
How E8-RM-ML3.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1582 | E8-RM-ML3.6 requires an annual validation of Microsoft Office’s trusted publishers list to ensure only approved macro signers remain trusted | |
| handshake Supports (2) expand_less | ||
| ISM-1674 | ISM-1674 requires that macro execution is limited to sandboxed macros, Trusted Locations, or those signed by a trusted publisher | |
| ISM-1675 | E8-RM-ML3.6 requires organisations to annually validate the Microsoft Office trusted publishers list so trust decisions about macro signe... | |
| link Related (1) expand_less | ||
| ISM-1676 | ISM-1676 requires Microsoft Office’s list of trusted publishers to be validated at least annually | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.