Restrict Macro Editing to Privileged Users
Only authorised users can edit trusted Microsoft Office macros to prevent malicious code.
Plain language
This control ensures that only certain people in your organisation can edit Microsoft Office macros, which are small programs used within documents. It's important because if the wrong person edits these macros, they could introduce harmful code that compromises your data or systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
Why it matters
If non-privileged users can edit macros in Office Trusted Locations, malicious code may be introduced, enabling compromise and data loss.
Operational notes
Regularly audit privileged access so only authorised users can write or modify Office macros and content in Trusted Locations.
Implementation tips
- IT manager: Identify team members who are responsible for checking and editing macros. These should be trusted individuals with a good understanding of security risks.
- Security officer: Set permissions so only the identified team members can edit macros in Trusted Locations. This might involve using user profiles to limit who can make changes.
- Office manager: Create a training session for the identified team members on how to safely handle and edit macros. Cover what signs of malicious code look like.
- System administrator: Regularly review and update the list of authorised users who can edit macros to ensure it stays relevant as team members change.
- HR and IT team: Collaborate to ensure that when a privileged user leaves the organisation, their access to edit macros is immediately revoked to prevent potential risks.
Audit / evidence tips
- AskA list of employees authorised to edit macros: Ensure the list corresponds with current job roles and responsibilities GoodIs a list dated within the last year with signatures confirming they understand their responsibilities
- AskSecurity settings on Microsoft Office: Request evidence of permissions set for Trusted Locations GoodIs documentation showing restricted access properly configured
- AskRecent macro edits documentation GoodIncludes timestamps and Editor IDs aligning with the authorised list
- AskThe training materials used for macro security GoodIncludes recent training dates and content relevant to the current security landscape
- AskTermination checklists for former employees: Ensure access rights have been revoked for people who no longer work with the organisation GoodIncludes completed checklists that reflect immediate removal of edit privileges upon employment cessation
Cross-framework mappings
How ISM-1487 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed, including limiting who can perform high-impact administrative... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RM-ML3.1 | ISM-1487 mandates that only privileged, authorised macro reviewers can modify content within Microsoft Office Trusted Locations | |
| E8-RM-ML3.2 | E8-RM-ML3.2 requires macros to be checked for malicious code before they are signed or placed in Trusted Locations | |
| link Related (1) expand_less | ||
| E8-RM-ML3.3 | E8-RM-ML3.3 requires only privileged users who verify Microsoft Office macros to modify content within Trusted Locations | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.