Hardening Office Productivity Suites
Secure your office apps using the strictest guidance from ASD and vendors to keep your data safe.
Plain language
Hardening your office productivity software, like Microsoft Office or Google Workspace, is about setting up these tools to be as secure as possible. It's important because if your office software is not properly secured, it can become a backdoor for hackers, putting sensitive data and business operations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
If office productivity suites are not hardened, attackers can exploit macros, add-ins or document handling to execute code and exfiltrate sensitive data.
Operational notes
Regularly update office suite hardening settings to match latest ASD/vendor guidance; monitor for security customisation drift.
Implementation tips
- IT team should follow security guidelines: The IT team should closely follow security hardening guides from both the Australian Signals Directorate (ASD) and the software vendors. They can find these guides on the ASD website and from the software vendors' resources, and must apply the strictest recommendations even if they are tough to implement.
- Office managers should ensure software is updated: Office managers need to make sure that all office productivity software is regularly updated to the latest versions. This involves setting up automatic updates or scheduling a regular time each month for manual updates, ensuring security patches are applied promptly.
- System owners should collaborate with users: System owners should work with employees to identify which security settings may impact their workflow and find a balance. They can do this by organising workshops to discuss workflow needs while still maintaining security compliance.
- Managers should develop a hardening policy: Managers should create a clear policy on how office software should be configured and maintained securely. They can draft this by consulting both ASD guidelines and industry best practices, making sure to document this policy clearly and distribute it among staff.
- Procurement should buy compliant software: Procurement teams should ensure any new software purchases comply with security guidelines from ASD and the vendors. This includes asking vendors for documentation on their compliance with security standards before making a purchase.
Audit / evidence tips
-
Askthe security settings documentation: Request the document detailing the security settings applied to each office productivity suite in use
GoodSettings documentation that lists strict security measures and compliance with the strictest guidelines
-
Askto see patch management records: Request records of software updates and patches applied to the office suites
GoodDetailed logs showing updates have been applied within a reasonable timeframe after release
-
Askdocumentation of any workshops or training sessions held to educate staff on software security settings
GoodRecords showing regular training sessions with positive feedback on understanding and compliance
-
Askcompliance reports: Request reports or audits that verify compliance with ASD and vendor guidelines
GoodRecent audit reports showing full compliance or documented plans for addressing any gaps
-
Askrecords that show how new software purchases were evaluated for security compliance
GoodDetailed procurement criteria including security compliance factors being checked and approved
Cross-framework mappings
How ISM-1859 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML2.9 | E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor guidance, prioritising the most restrictive settings | |
| link Related (3) expand_less | ||
| E8-AH-ML2.2 | ISM-1859 requires organisations to harden office productivity suites in line with ASD and vendor guidance, applying the most restrictive ... | |
| E8-AH-ML2.6 | ISM-1859 requires office productivity suites to be hardened using ASD and vendor hardening guidance, applying the most restrictive settin... | |
| E8-AH-ML2.7 | ISM-1859 requires office productivity suites to be hardened using ASD and vendor guidance, choosing the most restrictive configuration wh... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.