Skip to content
arrow_back
ISM-1536
search
ISM-1536 policy ASD Information Security Manual (ISM)

Prevent OLE Package Activation in Microsoft Office

Ensure Microsoft Office is set to block the use of OLE packages for added security.

Preventative NC OS P ASD Information Security ManualGuidelines for software developmentconfiguration
record_voice_over

Plain language

This control ensures that Microsoft Office is set up to block the activation of OLE packages, which are a way of linking or embedding objects from different applications. This is important because OLE packages can be exploited by hackers to run malicious code on your computer, leading to potential data breaches or system damage.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2025

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Software Interaction With Databases

Official control statement

All queries to databases from software that are initiated by users, and any resulting crash or error messages, are centrally logged.
policy ASD Information Security Manual (ISM) ISM-1536
priority_high

Why it matters

If user-initiated database queries and resulting errors aren’t centrally logged, malicious or unauthorised queries may go undetected and investigations hindered.

settings

Operational notes

Configure central logging for user-initiated database queries and related crashes/errors; review logs routinely and alert on suspicious or repeated failures.

build

Implementation tips

  • IT Team should configure Microsoft Office settings: Use the Office Group Policy settings to disable OLE package activation. This involves accessing the administrative template files in Group Policy Editor and setting the required configurations to prevent OLE features from functioning.
  • System Administrator should update policies: Make sure that your organisation's IT policy includes a section that specifically disallows the use of OLE packages. Include instructions for keeping software up to date to ensure security patches are applied.
  • Security Officer should train staff: Educate staff about the risks of OLE packages and explain why such features are being disabled. Use simple examples and demonstrate how malicious files might look so employees can better identify suspicious activities.
  • IT Support should verify configurations: Regularly check that the Office configurations to block OLE packages are still in place. This includes conducting periodic reviews of the policy settings across different systems in the organisation.
  • Procurement should coordinate with vendors: Ensure that any new Office software purchases or subscriptions come with the capability to manage these configurations. Confirm that suppliers understand this requirement and provide appropriate support materials.
fact_check

Audit / evidence tips

  • AskThe Office Group Policy configuration report: Request documentation showing the current settings for OLE packages in Microsoft Office GoodIncludes a record showing these settings are set to 'disabled' or 'not configured'
  • AskStaff training records: Request records of any training sessions conducted about Microsoft Office security measures GoodWould be signed attendance sheets and training content that covered the disallowing of OLE packages
  • AskPolicy documentation: Request the section of your IT policy that relates to software configuration and OLE package activation GoodIs a policy document clearly stating this requirement, along with revision dates
  • AskLogs of configuration reviews: Request logs or records of when configuration settings were last checked or audited GoodShows regular checks have been conducted and discrepancies addressed immediately
  • AskProcurement checklists: Request a copy of the checklist used when purchasing new Office software GoodIncludes documented discussions with vendors and notes on how these requirements were complied with
link

Cross-framework mappings

How ISM-1536 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.9 ISM-1536 requires implementing one defined security configuration in Microsoft Office: blocking OLE package activation

E8

Control Notes Details
handshake Supports (1) expand_less
E8-AH-ML2.7 ISM-1536 requires a specific Microsoft Office security configuration: blocking activation of OLE packages
link Related (1) expand_less
E8-AH-ML2.5 ISM-1536 requires Microsoft Office to be configured to block activation of OLE packages to reduce exploitation of embedded objects

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls