Ensure Security Configuration Is Immutable by Users
Users cannot modify the security settings of security products.
Plain language
This control means that users shouldn't be able to change the security settings on software that protects your systems, like antivirus programs or firewalls. This is important because if users could alter these settings, they might accidentally weaken the protection, making it easier for hackers to access sensitive information or disrupt operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Security product security settings cannot be changed by users.
Why it matters
If users can change security product settings, they may disable protections, allowing malware, breaches, or data theft to occur.
Operational notes
Restrict admin rights and enforce tamper protection so end users cannot modify security product policies; alert on attempted changes and review exceptions.
Implementation tips
- IT team should configure software: Make sure that security settings, such as antivirus or firewall configurations, are locked so that only authorised personnel can modify them. You can do this by using administrative tools within the software to set strong passwords and access controls.
- System owner should review permissions: Work with the IT team to check who currently has the ability to change security settings. Ensure only trusted and knowledgeable staff have this access, and remove permissions from those who don’t need it.
- IT team should use administrative accounts: When setting up computers and applications, use a special account that’s only for IT staff, which has higher permissions. Regular users should have accounts that don’t allow them to change important settings.
- Management should provide training: Educate staff about the importance of keeping security settings in place. Regular training sessions can help staff understand the implications of trying to bypass security measures and encourage them to report any suspicious behaviour.
- System owner should monitor changes: Set up alerts or regularly check logs to know when changes are attempted or made to security settings. Use software tools that can notify you of these changes and ask the IT team to investigate any unauthorised attempts.
Audit / evidence tips
-
Askthe list of authorised personnel: Request a document or list showing who can modify security settings
Goodis a document updated within the last year showing current and minimal necessary personnel
-
Asksoftware configuration logs: Request a review of logs that track changes to security settings
-
Asktraining records: Request recent records of staff training on security policies
Goodrecord includes recent attendance, topics covered, and evidence that all relevant staff participated
-
Askpassword policy document: Request the document outlining how passwords and permissions are set up for security configuration access
Goodis a comprehensive document that aligns with current security standards
-
Askthe monitoring report: Request a recent report or alert record of monitoring attempts on configuration changes
Goodshows proactive monitoring and responses to any suspicious activities
Cross-framework mappings
How ISM-1825 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1825 requires that users cannot change the security settings of security products, preserving the intended secure state | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RM-ML1.4 | ISM-1825 requires that security product security settings cannot be changed by users to maintain enforced protections | |
| link Related (2) expand_less | ||
| E8-AH-ML2.7 | ISM-1825 requires that security product security settings cannot be changed by users, ensuring protective controls remain enforced | |
| E8-AH-ML2.10 | ISM-1825 requires that users cannot change security product security settings, preventing weakening of security controls | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.