ISM-1825 policy ASD Information Security Manual (ISM)

Ensure Security Configuration Is Immutable by Users

Users cannot modify the security settings of security products.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening configuration

record_voice_over

Plain language

This control means that users shouldn't be able to change the security settings on software that protects your systems, like antivirus programs or firewalls. This is important because if users could alter these settings, they might accidentally weaken the protection, making it easier for hackers to access sensitive information or disrupt operations.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Hardening User Application Configurations

Official control statement

Security product security settings cannot be changed by users.

policy ASD Information Security Manual (ISM) ISM-1825

priority_high

Why it matters

If users can change security product settings, they may disable protections, allowing malware, breaches, or data theft to occur.

settings

Operational notes

Restrict admin rights and enforce tamper protection so end users cannot modify security product policies; alert on attempted changes and review exceptions.

02 — Implement

build

Implementation tips

IT team should configure software: Make sure that security settings, such as antivirus or firewall configurations, are locked so that only authorised personnel can modify them. You can do this by using administrative tools within the software to set strong passwords and access controls.
System owner should review permissions: Work with the IT team to check who currently has the ability to change security settings. Ensure only trusted and knowledgeable staff have this access, and remove permissions from those who don’t need it.
IT team should use administrative accounts: When setting up computers and applications, use a special account that’s only for IT staff, which has higher permissions. Regular users should have accounts that don’t allow them to change important settings.
Management should provide training: Educate staff about the importance of keeping security settings in place. Regular training sessions can help staff understand the implications of trying to bypass security measures and encourage them to report any suspicious behaviour.
System owner should monitor changes: Set up alerts or regularly check logs to know when changes are attempted or made to security settings. Use software tools that can notify you of these changes and ask the IT team to investigate any unauthorised attempts.

03 — Audit

fact_check

Audit / evidence tips

Askthe list of authorised personnel: Request a document or list showing who can modify security settings

Goodis a document updated within the last year showing current and minimal necessary personnel
Asksoftware configuration logs: Request a review of logs that track changes to security settings
Asktraining records: Request recent records of staff training on security policies

Goodrecord includes recent attendance, topics covered, and evidence that all relevant staff participated
Askpassword policy document: Request the document outlining how passwords and permissions are set up for security configuration access

Goodis a comprehensive document that aligns with current security standards
Askthe monitoring report: Request a recent report or alert record of monitoring attempts on configuration changes

Goodshows proactive monitoring and responses to any suspicious activities

04 — Mappings

link

Cross-framework mappings

How ISM-1825 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.9	ISM-1825 requires that users cannot change the security settings of security products, preserving the intended secure state

E8

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
E8-RM-ML1.4	ISM-1825 requires that security product security settings cannot be changed by users to maintain enforced protections
link Related (2) expand_less
E8-AH-ML2.7	ISM-1825 requires that security product security settings cannot be changed by users, ensuring protective controls remain enforced
E8-AH-ML2.10	ISM-1825 requires that users cannot change security product security settings, preventing weakening of security controls

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.