Disabling Microsoft Office Macros for Unauthorised Users
Microsoft Office macros are turned off unless users have a proven need for them.
Plain language
This control is about turning off Microsoft Office macros for anyone who doesn't have a clear business need to use them. Macros can be a back door for hackers to sneak into your systems if accessed by the wrong people, leading to data theft or malware attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Why it matters
If Microsoft Office macros are enabled for users without a business need, macro malware is more likely to execute and compromise systems.
Operational notes
Review and revalidate macro approvals regularly, limiting macro enablement to named users with a current, documented business requirement.
Implementation tips
- The IT team should start by assessing which users truly need access to Office macros for their work tasks. This can be done by reviewing current usage reports and identifying roles where macros are a necessity.
- Managers need to collaborate with their teams to identify legitimate business cases for macro usage. They should document these cases with clear explanations of why macros are essential for specific tasks.
- Once legitimate needs are identified, the IT team should then configure Microsoft Office settings to disable macros by default. This involves changing the Group Policy settings or using Office's Trust Centre to restrict macro access to approved users only.
- The IT department should set up a request process where staff can apply for macro access if they develop a future need. This process should include managerial approval and a justification for why the access is needed.
- Regular training sessions should be organised by managers and the IT team to educate employees on the risks of enabling macros and the importance of adhering to organisational policies regarding macro usage.
Audit / evidence tips
-
Askthe list of users who have been granted macro access
Gooda list where each user's macro access is justified with a clear business need
-
Goodincludes a clear, documented process for evaluating new requests
-
Asksecurity settings from the IT system that show macros are disabled by default
Goodshows these settings applied consistently across all user endpoints
-
Askrecords of macro risk training sessions conducted for staff
Gooda schedule of regular training sessions with documented attendance and materials
-
Asklogs showing when macros are enabled or altered
Goodincludes an audit trail where any changes to macro settings are tracked and reconciled with approvals
Cross-framework mappings
How ISM-1671 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| E8-RM-ML1.2 | E8-RM-ML1.2 requires Microsoft Office macros from internet-originating files to be blocked | |
| E8-RM-ML1.4 | ISM-1671 mandates disabling Microsoft Office macros for users without a demonstrated business need | |
| E8-RM-ML3.1 | ISM-1671 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business requirement | |
| E8-RM-ML3.3 | ISM-1671 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business requirement | |
| link Related (1) expand_less | ||
| E8-RM-ML1.1 | E8-RM-ML1.1 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business need | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.