Prevent User Changes to Browser Security Settings
Users cannot modify web browser security settings to ensure consistent protection.
Plain language
This control means that employees and users in an organisation cannot change the security settings of their web browsers. This is important because if users can reduce security settings, they might expose the organisation to online threats like viruses or hackers, leading to data breaches or loss of sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Web browser security settings cannot be changed by users.
Why it matters
If users can change browser security settings, they may disable protections (e.g. safe browsing, blocking) leading to phishing, malware and data theft.
Operational notes
Enforce locked-down browser security settings via Group Policy/MDM; routinely verify policies prevent user changes and remediate any local overrides.
Implementation tips
- IT team should lock down browser settings: To prevent users from changing security settings, the IT team can use management tools to distribute browsers with pre-configured security settings across all company devices. Make sure these settings are locked so users can't modify them without authorisation.
- System administrators should educate staff: Conduct training to explain why browser security settings are managed centrally and what the risks are if these settings are altered. This helps staff understand the importance of compliance and encourages reporting of any attempted changes.
- Policy makers should establish guidelines: Develop clear policies that outline the approved browser settings and communicate these policies to all employees. Ensure the policy is accessible, possibly through an employee handbook or shared internal website.
- Security team should regularly monitor compliance: Use network monitoring tools to check that browser settings are maintained as configured. Regular audits help identify any unauthorised changes or non-compliance issues.
- Management should support compliance efforts: Encourage leadership to send regular reminders about the importance of maintaining security settings and the procedures for reporting suspicious activities. This will help foster a culture of security throughout the organisation.
Audit / evidence tips
- AskThe policy document on browser security settings: Request access to the official policy that outlines the approved settings and who can modify them GoodA policy with clear settings, authorisation workflow, and distribution channels to staff
- AskA demonstration of browser management tools: Request a demo on how browsers are configured and managed on the organisation’s network GoodDemonstration of effective settings management and restriction protocols
- AskTraining records: Request evidence of staff training sessions related to browser security settings and online safety GoodUp-to-date training logs showing regular sessions with high participation
- AskCompliance audit reports: Request recent audits that check for unauthorised changes to browser settings GoodComprehensive audit logs with no or quickly resolved discrepancies
- AskUser logs and reports: Request logs showing attempts to change browser settings, blocked change attempts, or any security incidents related to browser settings GoodWell-documented logs with minimal incidents showing effective control
Cross-framework mappings
How ISM-1585 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML2.10 | E8-AH-ML2.10 requires locking PDF software security settings so users cannot alter them | |
| handshake Supports (2) expand_less | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
| E8-AH-ML2.1 | ISM-1585 requires that web browser security settings cannot be changed by users | |
| link Related (1) expand_less | ||
| E8-AH-ML1.4 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.