ISM-1675 policy ASD Information Security Manual (ISM)

Prevent Enabling Untrusted Microsoft Office Macros

Macros from untrusted sources in Microsoft Office can't be enabled through standard interfaces.

Preventative ML3 NC OS P ASD Information Security ManualGuidelines for system hardening application security awareness training

record_voice_over

Plain language

This control is about stopping Microsoft Office from running suspicious little programs called macros that originate from sources we don't trust. It's important because if harmful macros get in, they can mess with your files or steal information, like leaving your front door open for thieves.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2021

Control Stack last updated

19 May 2026

E8 maturity levels

ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Microsoft Office Macros

Official control statement

Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.

policy ASD Information Security Manual (ISM) ISM-1675

priority_high

Why it matters

If untrusted Office macros run, they can automate data theft or malware spread, critically compromising business operations and security.

settings

Operational notes

Regularly verify that macro settings are enforced to block unsigned macros and educate users to avoid altering these via Message Bar or Backstage View.

02 - Implement

build

Implementation tips

IT team should configure Microsoft Office group policies: They need to set up rules that automatically block macros from any untrusted source. This involves using the Group Policy Editor to navigate to the Microsoft Office settings and enabling the 'Disable all macros without notification' option.
Managers should educate staff about macro security: Organise a short training session to explain the dangers of enabling macros from unknown sources. Use real-world examples (like email scams) to illustrate how bad macros can sneak in and cause damage.
IT support should regularly update Microsoft Office: Ensure all Office applications are kept up-to-date with the latest security patches. Use automatic updating settings in the Office suite to make this process seamless and less prone to human error.
System administrators should set up security alerts: They need to configure the network to send alerts if there's any attempt to enable macros from untrusted sources. Use existing monitoring systems to watch out for this activity without overwhelming employees with notifications.
Procurement should ensure compliance with security policies: When buying or renewing software licences, check that all software supports disabling untrusted macros. Include specific requirements for macro management in software procurement contracts.

03 - Audit

fact_check

Audit / evidence tips

AskA report on Group Policy settings for Office: Request documentation showing the current Office group policy settings regarding macros GoodShows that macros are blocked unless they're from a trusted source
AskA list of any exceptions made to this policy: Request any documentation of exceptions where macros from untrusted sources might have been enabled. Check for appropriate authorisation and risk assessment in these cases GoodIncludes detailed reasoning and approvals for any exceptions
AskRecords of staff training sessions on macro security: Request minutes or records of any conducted staff training sessions regarding Office macro security GoodHas dated session records and participant lists
AskTo see update logs for Office applications: Request logs or reports showing recent updates to Office applications GoodShows consistent and recent updates aligned with vendor release notes
AskAlerts and responses to potential macro threats: Request examples of alerts generated and the subsequent responses in handling them GoodIncludes prompt detection and written response procedures

04 - Mappings

link

Cross-framework mappings

How ISM-1675 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
sync_alt Partially overlaps (2) expand_less

E8-RM-ML1.1	ISM-1675 requires that macros signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View
E8-RM-ML3.5	E8-RM-ML3.5 blocks users from enabling macros via Office UI when the macro is not signed with a V3 signature
handshake Supports (5) expand_less

E8-RM-ML1.2	E8-RM-ML1.2 requires blocking macros in Microsoft Office files originating from the internet
E8-RM-ML1.4	ISM-1675 requires a specific macro-enablement restriction (untrusted publisher macros cannot be enabled via Message Bar or Backstage View)
E8-RM-ML3.1	E8-RM-ML3.1 permits only trusted/sandboxed/signed Office macros to execute
E8-RM-ML3.2	ISM-1675 requires blocking enablement of macros signed by an untrusted publisher via Office prompts
E8-RM-ML3.6	E8-RM-ML3.6 requires organisations to annually validate the Microsoft Office trusted publishers list so trust decisions about macro signe...
link Related (1) expand_less

E8-RM-ML3.4	E8-RM-ML3.4 requires that Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Bac...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.