Validate Trusted Publishers for Microsoft Office
Ensure the list of trusted Microsoft Office publishers is checked at least once a year.
Plain language
This control is about making sure that only trustworthy software companies can create or update documents in Microsoft Office on your computer. If you don't check these trusted companies regularly, someone sneaky could slide in harmful software, leading to loss of sensitive information or disruption of your daily operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office's list of trusted publishers is validated on an annual or more frequent basis.
Why it matters
Unchecked Microsoft Office trusted publishers can allow malicious signed macros/add-ins to run, risking data compromise and disruption.
Operational notes
Review Microsoft Office trusted publishers at least annually; remove unknown entries and confirm each certificate/publisher remains valid and required.
Implementation tips
- System owners should identify a trusted individual or team, such as the IT team, to oversee the list of trusted publishers. They need to access the security settings in Office and make sure only verified companies are on the list. Schedule this review at least every twelve months to maintain security.
- IT teams should document procedures for adding or removing publishers from the trusted list. They can use Office's built-in tools to see who is already on the list and adjust as necessary, ensuring transparency and accountability.
- Managers should ensure proper training for staff about the risks of unwanted software and how trusted publishers work. Host quarterly information sessions to enhance awareness and cater to any questions employees might have about their usage.
- Procurement teams should coordinate with IT during the purchase of new software solutions. They must confirm that new software vendors are verified before adding them as trusted publishers in Microsoft Office systems.
- IT teams should use a change management system to track any alterations to the trusted publisher list. This will allow them to revert changes if needed and keep an audit trail of any modifications in the system.
Audit / evidence tips
-
Askthe trusted publishers list: Request a current list of companies considered as trusted Office publishers
Goodwill have recognised software companies with no unexplained or suspicious entries
-
Aska review schedule: Request documentation that outlines when the trusted publishers list was last reviewed and the next scheduled review
Goodis a clear timeline showing reviews were done on time
-
Asktraining records: Get evidence of staff training sessions on the topic of trusted publishers in Office
Goodprovides detailed agendas and attendance records showing regular training
-
Askchange logs: Request logs or records of changes made to the trusted publishers list
Goodincludes a detailed log with names, dates, and justifications for every change
-
Askrisk assessments: Request any documentation that details risk assessments carried out on potential publishers
Goodshows thoughtful risk analysis and approval from responsible parties
Cross-framework mappings
How ISM-1676 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.4 | E8-AC-ML2.4 requires organisations to validate their application control rulesets annually or more frequently | |
| handshake Supports (2) expand_less | ||
| E8-RM-ML3.1 | ISM-1676 requires organisations to periodically validate which publishers are trusted in Microsoft Office | |
| E8-RM-ML3.4 | E8-RM-ML3.4 requires that macros signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View | |
| link Related (1) expand_less | ||
| E8-RM-ML3.6 | ISM-1676 requires Microsoft Office’s list of trusted publishers to be validated at least annually | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.