Skip to content
Control Stack logo Control Stack
ISM-1823 ASD Information Security Manual (ISM)

Prevent Users from Changing Security Settings in Apps

Users can't change security settings in office software, keeping configurations secure.

Preventative ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Logging and monitoringASD Information Security ManualGovernanceConfiguration managementLeast privilege

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Hardening User Application Configurations
Official control statement
Office productivity suite security settings cannot be changed by users.

Source: ASD Information Security Manual (ISM)

Plain language

This control means that users in your organisation shouldn't be able to change the security settings in office software like Microsoft Word or Excel. It's important because if users could change these settings, they might, whether intentionally or accidentally, weaken the protections that keep your business data safe from cyber threats.

Why it matters

If users can change Office app security settings, protections like macro blocking and protected view may be disabled, increasing data exposure and malware risk.

Operational notes

Enforce Office policy (e.g., Group Policy/Intune) so users cannot modify security options such as macro settings, Protected View, or trusted locations; audit regularly.

Implementation tips

  • The IT team should configure the office software on all organisational computers so that the security settings cannot be altered by users. This can be done by setting up group policies that lock down the relevant settings.
  • The system administrator should ensure that only authorised personnel have the ability to update or change security configurations of office applications. This can be achieved by setting permissions that restrict access based on roles.
  • The IT team should regularly update the office software to the latest version to ensure it includes the most recent security enhancements, which can make it harder for users to bypass settings.
  • Managers should be trained to communicate to their teams why these restrictions are in place, explaining that it protects the company's data and their own information from misuse or loss.
  • The IT team should keep logs of any changes made to the office software configurations. This can involve setting up logging tools that record all administrative changes, providing a trail if investigation is needed.

Audit / evidence tips

  • Ask: the group policy settings documentation: Request the document that outlines the current group policy settings related to office software security configurations

    Good: shows explicit restrictions on altering security settings

  • Ask: to see who has administrative rights on office applications

    Good: would be a list showing only IT staff with admin privileges

  • Ask: records of software updates: Request logs or reports showing recent updates to office software. Check that updates are regular and automatic

    Good: will show a consistent update schedule ensuring the latest protections

  • Ask: team leaders about staff understanding: Have brief interviews with managers or team leaders on how they communicate the importance of these settings to their teams

    Good: would include confirmation of regular training sessions

  • Ask: logs of configuration changes: Request access to logs showing when office app configurations were changed

    Good: shows all changes are logged and authorised

Cross-framework mappings

How ISM-1823 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.9 ISM-1823 requires locking down office productivity suite security settings so users cannot change them

E8

Control Notes Details
Partially meets (1)
E8-AH-ML2.10 E8-AH-ML2.10 requires that PDF software security settings cannot be changed by users
Related (2)
E8-RM-ML1.4 ISM-1823 requires that office productivity suite security settings cannot be changed by users
E8-AH-ML2.7 ISM-1823 requires that office productivity suite security settings cannot be changed by users

Mapping detail

Mapping

Direction

Controls