Ensuring Secure Execution of Microsoft Office Macros
Only safe Microsoft Office macros are allowed to run, using security measures like sandboxing or trusted signatures.
Plain language
This control is about making sure that only safe macros—small programs you can run in Microsoft Office—are allowed to execute on your computer. Without this, you could accidentally run a harmful macro that steals information, corrupts files, or damages your system.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
Why it matters
Unchecked Office macros can run malicious code, leading to compromise unless sandboxed, trusted or signed.
Operational notes
Allow macro execution only from Trusted Locations, a sandbox, or macros signed by trusted publishers; review regularly.
Implementation tips
- Business owners should talk to their IT support team about setting up secure environments for running macros. Encourage them to ensure that Microsoft Office macros are only executed in pre-approved locations, like a trusted folder on your network.
- Office managers should work with the IT department to identify which macros are necessary for daily operations. Make a list of all essential macros and ensure they are either from a trusted source or signed by a reputable publisher.
- IT teams should configure the settings in Microsoft Office to only run macros from trusted locations. This involves adjusting the trust settings within each Office application to restrict where macros can be executed.
- Procurement teams should review software contracts to ensure they include the ability to digitally sign Microsoft Office macros. This means ensuring that any software that generates or uses macros has the capability to attach a digital signature from a trusted publisher.
- System administrators should regularly update and maintain the list of trusted publishers whose macros can run on the network. This involves checking publisher credentials and verifying they remain trustworthy over time.
Audit / evidence tips
-
Askthe security policy for running macros in Microsoft Office: Request the document that explains how macros are managed and what measures are in place
Goodis a clearly documented policy showing these controls are defined and enforced
-
Askthe list of approved macros and their sources: Request an inventory of all macros currently used within the business
Goodwould include macros listed with their source and a record of approval
-
Aska demonstration of Microsoft Office security settings: Request to see how macros are restricted within Office applications
Gooddemonstration shows macros set to run only from authorised locations
-
AskIT security logs related to macro security: Request logs documenting attempted macro executions and any blocked incidents
Goodincludes recent logs with no successful unauthorised macro executions
-
Askthe latest update report from the IT team about trusted publisher reviews: Request a document showing when and how trusted publishers were reviewed
Goodprovides evidence of thorough and regular reviews
Cross-framework mappings
How ISM-1674 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (6) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.