Prevent Changes to PDF Application Security Settings
Users are restricted from changing security settings in PDF applications.
Plain language
This control means that people using PDF applications at work cannot change the security settings. This matters because if someone tampers with these settings, it could make sensitive documents easier to steal or tamper with, which might expose personal or business information to unauthorized people.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
PDF application security settings cannot be changed by users.
Why it matters
Allowing users to change PDF security settings can enable copying, printing or editing of protected PDFs, increasing the risk of sensitive data exposure.
Operational notes
Lock PDF application security settings using GPO/MDM and prevent local overrides; periodically verify settings and report any user-changeable options.
Implementation tips
- The IT team should configure PDF applications to lock security settings. This can be done by using administrative tools that prevent users from accessing or changing security configurations.
- System administrators should create a policy that outlines which security settings are non-negotiable in PDF applications. This policy should be easy for employees to understand and follow, explaining why these settings must remain unchanged.
- Ensure training sessions for all staff are organised by HR in collaboration with IT, to educate employees on the importance of maintaining secure settings in PDF applications and the potential risks if these settings are altered.
- IT support can set up automatic alerts for any attempt to change PDF application security settings by unauthorised users. This can be achieved by configuring monitoring tools on all company devices running PDF software.
- Managers should regularly remind their teams about the security protocols regarding PDF applications. A regular email or an inclusion in monthly team meetings can reinforce the message and ensure compliance.
Audit / evidence tips
-
Askthe documented policy on PDF application security settings
Goodis a detailed policy document reviewed by IT and approved by management
-
Aska demonstration of the controls configured in PDF applications to restrict changes
Goodshows these settings are part of a centralised management tool and cannot be altered by end users
-
Goodincludes a log with details showing who attempted the change and when
-
Asktraining materials used to educate staff about this control
Goodprovides engaging materials that have been distributed to all staff
-
Gooddemonstrates that the majority of staff understand and value these protections
Cross-framework mappings
How ISM-1824 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1824 requires preventing user changes to PDF application security settings, ensuring a fixed secure configuration for that application | |
| Annex A 8.32 | ISM-1824 addresses controlling changes by users to PDF application security settings, effectively treating such changes as disallowed con... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AH-ML2.7 | ISM-1824 requires that PDF application security settings cannot be changed by users | |
| E8-AH-ML2.9 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor guidance, ensuring secure baseline settings are applied | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.8 | E8-AH-ML2.8 requires a technical enforcement that prevents PDF software from spawning child processes | |
| link Related (1) expand_less | ||
| E8-AH-ML2.10 | ISM-1824 requires that PDF application security settings cannot be changed by users | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.