Prevent Users from Changing Security Settings in Apps
Users can't change security settings in office software, keeping configurations secure.
Plain language
This control means that users in your organisation shouldn't be able to change the security settings in office software like Microsoft Word or Excel. It's important because if users could change these settings, they might, whether intentionally or accidentally, weaken the protections that keep your business data safe from cyber threats.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Office productivity suite security settings cannot be changed by users.
Why it matters
If users can change Office app security settings, protections like macro blocking and protected view may be disabled, increasing data exposure and malware risk.
Operational notes
Enforce Office policy (e.g., Group Policy/Intune) so users cannot modify security options such as macro settings, Protected View, or trusted locations; audit regularly.
Implementation tips
- The IT team should configure the office software on all organisational computers so that the security settings cannot be altered by users. This can be done by setting up group policies that lock down the relevant settings.
- The system administrator should ensure that only authorised personnel have the ability to update or change security configurations of office applications. This can be achieved by setting permissions that restrict access based on roles.
- The IT team should regularly update the office software to the latest version to ensure it includes the most recent security enhancements, which can make it harder for users to bypass settings.
- Managers should be trained to communicate to their teams why these restrictions are in place, explaining that it protects the company's data and their own information from misuse or loss.
- The IT team should keep logs of any changes made to the office software configurations. This can involve setting up logging tools that record all administrative changes, providing a trail if investigation is needed.
Audit / evidence tips
-
Askthe group policy settings documentation: Request the document that outlines the current group policy settings related to office software security configurations
Goodshows explicit restrictions on altering security settings
-
Askto see who has administrative rights on office applications
Goodwould be a list showing only IT staff with admin privileges
-
Askrecords of software updates: Request logs or reports showing recent updates to office software. Check that updates are regular and automatic
Goodwill show a consistent update schedule ensuring the latest protections
-
Askteam leaders about staff understanding: Have brief interviews with managers or team leaders on how they communicate the importance of these settings to their teams
Goodwould include confirmation of regular training sessions
-
Asklogs of configuration changes: Request access to logs showing when office app configurations were changed
Goodshows all changes are logged and authorised
Cross-framework mappings
How ISM-1823 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1823 requires locking down office productivity suite security settings so users cannot change them | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML2.10 | E8-AH-ML2.10 requires that PDF software security settings cannot be changed by users | |
| extension Depends on (1) expand_less | ||
| E8-AH-ML2.3 | E8-AH-ML2.3 requires Microsoft Office to be blocked from creating executable content, which relies on Office security settings remaining ... | |
| link Related (2) expand_less | ||
| E8-RM-ML1.4 | ISM-1823 requires that office productivity suite security settings cannot be changed by users | |
| E8-AH-ML2.7 | ISM-1823 requires that office productivity suite security settings cannot be changed by users | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.