Disable OLE in Microsoft Office for Security
Microsoft Office is set to block OLE, a feature that could pose security risks.
Plain language
This control requires Microsoft Office to disable a feature called Object Linking and Embedding (OLE). OLE can create opportunities for cyber attackers to sneak harmful software into your system through supposedly legitimate files. By turning off OLE, you reduce the risk of opening your business up to data breaches or malware infections, which could cost you time, money, and trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Dec 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
Why it matters
If OLE is not disabled, embedded OLE packages in Office files may execute, enabling malware infection, data theft, or host compromise.
Operational notes
Regularly verify Office GPO/registry settings keep OLE activation disabled and test with sample files after updates to ensure it cannot be re-enabled.
Implementation tips
- IT staff should configure Microsoft Office settings to disable OLE. This involves accessing the Office application options and specifically turning off any OLE functionalities through policy settings. This can be done using group policies if you manage multiple computers within the organisation.
- The IT security manager should communicate the change in OLE functionality to all staff. This could involve a short email explaining what OLE is, why it has been disabled, and how this affects their daily tasks to ensure everyone is informed and prepared.
- System administrators should test document functionalities after disabling OLE. They can do this by trying to open, edit, and save different types of Office documents to ensure that disabling OLE doesn't disrupt everyday work processes and that no critical features are affected.
- Office managers or team leaders should gather feedback from staff about any disruptions caused by disabling OLE. This step includes organising a brief meeting or survey to identify any issues employees might face, enabling the IT team to adjust settings or provide alternative solutions.
- IT teams should create a backup of current Office settings before disabling OLE. This involves documenting the existing configuration and exporting current settings to a secure location in case they need to revert to the previous setup.
Audit / evidence tips
-
Aska record of the Office settings changes: Request documentation that details the adjustments made to disable OLE across your organisation’s Office suite
Goodis a document or screenshot showing the policy applied and active status
-
Aska testing log: Request records showing the tests carried out to ensure Office functionality is not impaired after disabling OLE
Goodincludes a spreadsheet or database with successful test results and sign-offs from IT
-
Askcommunication records to staff: Request to see the email or memo sent to staff regarding the OLE changes
Goodis an email or document from a date close to the implementation, ensuring all staff were informed
-
Askfeedback collection method: Request how feedback from staff was gathered and documented post-implementation
Goodis a summary report with key observations and actions taken
-
Askbackup procedure documentation: Request evidence that backs up settings were created before implementing OLE changes
Goodis a procedure document or verification that backups were made and stored correctly
Cross-framework mappings
How ISM-1542 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML2.2 | E8-AH-ML2.2 requires Microsoft Office to be blocked from creating child processes to reduce the ability of Office documents to launch add... | |
| handshake Supports (3) expand_less | ||
| E8-AH-ML2.3 | ISM-1542 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
| E8-AH-ML2.4 | ISM-1542 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
| E8-AH-ML2.7 | E8-AH-ML2.7 requires that office productivity suite security settings cannot be changed by users | |
| link Related (1) expand_less | ||
| E8-AH-ML2.5 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.