ISM-1673 policy ASD Information Security Manual (ISM)

Prevent Win32 API Calls by Office Macros

Microsoft Office macros cannot make direct calls to Windows APIs.

Preventative ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardening application security configuration

record_voice_over

Plain language

This control means Microsoft Office macros can't directly communicate with the core parts of Windows that handle tasks like opening programs or accessing files. This is important because if macros could do this, they might be used by bad actors to spread viruses or steal data from your computer systems.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2021

Control Stack last updated

19 May 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Microsoft Office Macros

Official control statement

Microsoft Office macros are blocked from making Win32 API calls.

policy ASD Information Security Manual (ISM) ISM-1673

priority_high

Why it matters

If Office macros can call Win32 APIs, attackers can run native code, bypass protections and deliver malware or steal data.

settings

Operational notes

Configure Office policy to block Win32 API calls from VBA/macros, and validate via GPO/registry settings and audit logs.

02 - Implement

build

Implementation tips

IT team should configure Microsoft Office settings: Adjust the settings in Microsoft Office applications to disable direct calls to Windows APIs by macros. This can typically be done through group policy settings in the network management tools they use.
Office manager to inform and educate staff: Ensure all staff are aware that Office macros will have restricted capabilities and this is for their security. Use a short email or a meeting to explain that macros won't be able to perform risky operations that could harm the computer system.
System administrator should implement updates: Regularly check for and apply Microsoft Office updates that may be required to enforce this control. Make use of the automatic update feature where possible to ensure all Office applications are up to date.
The security team should perform regular checks: Conduct periodic reviews of policy settings to ensure that the macro security settings remain enforced. This can be done through audits of system configurations.
Procurement should verify software compatibility: Before purchasing or updating software that integrates with Office, ensure it is compatible with this restriction on macros. Discuss with software vendors about how their applications work with restricted macro functionality.

03 - Audit

fact_check

Audit / evidence tips

AskThe Office macro policy settings documentation: Request evidence of current Microsoft Office macro settings being enforced GoodIs policies showing settings that restrict macro API usage
AskA demonstration of restricted macro behaviour: Request an IT staff member to show how a macro's attempt to make API calls is blocked during operation GoodWould be real-time logs showing blocked API call attempts
AskA recent security test report on Office macros: Obtain a report on security test results concerning blocked macro actions GoodIs a report showing no successful attempts to exploit APIs
AskTraining records regarding macro policy: Check records of staff training sessions that cover Microsoft Office restrictions on macros GoodIncludes completed training records with dates and attendees
AskUpdate logs or schedules for Office software: Request the update logs or schedules showing regular software updates are applied GoodIs a documented update routine ensuring the latest security patches are applied

04 - Mappings

link

Cross-framework mappings

How ISM-1673 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.9	ISM-1673 requires implementing a specific security configuration: blocking Win32 API calls from Microsoft Office macros

E8

Control	Notes	Details
sync_alt Partially overlaps (6) expand_less

E8-AH-ML2.2	E8-AH-ML2.2 requires Microsoft Office to be blocked from creating child processes to reduce Office-based malware execution and living-off...
E8-AH-ML2.3	ISM-1673 requires that Office macros cannot directly call Win32 APIs, limiting low-level system interaction from macro code
E8-AH-ML2.4	E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.5	ISM-1673 requires blocking Win32 API calls by Office macros to constrain macro capability

E8-RM-ML1.2	ISM-1673 requires that Office macros are blocked from making Win32 API calls regardless of origin, limiting what macros can do if they run
E8-RM-ML3.1	ISM-1673 requires that Office macros are blocked from making Win32 API calls, limiting macro capability even when execution is permitted
handshake Supports (2) expand_less

E8-AH-ML2.7	E8-AH-ML2.7 requires that office productivity suite security settings cannot be changed by users

E8-RM-ML1.4	ISM-1673 requires enforcing a specific macro hardening setting: blocking Win32 API calls from Office macros
link Related (1) expand_less

E8-RM-ML2.1	E8-RM-ML2.1 requires blocking Microsoft Office macros from making Win32 API calls, which aligns with ISM-1673's equivalent mandate

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.