Prevent Changes to Email Client Security Settings
Users are not allowed to change the security settings on their email clients.
Plain language
This control means that people using email programs at your business aren't allowed to change security settings like spam filters or encryption options. It's crucial because if these settings are altered, it might leave your business open to cyber threats such as phishing or data leaks, risking your privacy and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Email client security settings cannot be changed by users.
Why it matters
If users can change email client security settings, they may disable protections, increasing phishing risk, malware delivery, and data leakage.
Operational notes
Enforce policy controls to lock email client security settings; routinely verify configs and record the approved secure baseline settings.
Implementation tips
- The IT team should configure email client settings: Set up centralised security settings on your email program that can't be changed by users. This could mean using admin tools to lock specific security features so they remain consistent across all computers.
- Managers should communicate the policy: Inform all staff that they cannot change email security settings, explaining the importance of this rule for protecting the business. Use team meetings or company-wide emails to ensure everyone understands and acknowledges this.
- The IT team should monitor compliance: Regularly check that email clients are adhering to the locked settings. Use software that can alert you if attempts to change these settings are made.
- Business owners should review policies: Ensure business policies include sections on email security management and what can and can't be done by users. This is your rule book that guides practice within the organisation.
- HR should support training: Provide training sessions for staff so they can spot threats like phishing emails, even if they can't adjust security settings themselves. This helps in building a security-minded culture.
Audit / evidence tips
-
Askthe email client configuration document: Request documentation that details the security settings currently enforced across all email clients. Look if the document specifies unchangeable settings and shows approval from authoritative personnel
Goodincludes comprehensive settings details with evidence of senior management endorsement
-
Askproof of staff communication: Request records or logs of communications sent to staff about this specific control
Goodis evidence of an organisation-wide communication with dates and engagement records
-
Asklogs from security software monitoring email settings
Goodis logs showing consistent monitoring with no unauthorised changes happening
-
Askthe organisation's formal policy document related to email security settings. Look to ensure it states that staff cannot change settings and explains the policy rationale
Goodhas clear wording outlining restrictions and purpose, endorsed by management
-
Asktraining records: Request records of training sessions conducted for staff on email security awareness
Goodshows regular training sessions with wide attendance
Cross-framework mappings
How ISM-1748 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.15 | ISM-1748 requires that email client security settings cannot be changed by users | |
| Annex A 8.18 | ISM-1748 requires preventing users from changing security settings in email clients | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-AH-ML1.4 | ISM-1748 requires that users cannot change security settings in their email clients | |
| E8-RM-ML1.4 | ISM-1748 requires that email client security settings cannot be changed by users | |
| E8-AH-ML2.10 | E8-AH-ML2.10 requires locking down PDF software security settings so users cannot change them | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.