Harden PDF Applications Using ASD Guidance
Ensure PDF applications are securely configured following official security guidelines.
Plain language
Setting up PDF software to follow strict security rules is essential to protect sensitive information. If not configured properly, these applications could be a gateway for cyber criminals to access your important documents and data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
PDF applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
If PDF applications are not hardened per ASD and vendor guidance, attackers may exploit PDF features to run code or exfiltrate sensitive documents.
Operational notes
Periodically compare ASD and vendor PDF hardening guides, apply the most restrictive settings (e.g., JavaScript/macros, plugins, sandboxing), and verify after updates.
Implementation tips
- The IT manager should review the Australian Signals Directorate's (ASD) guidelines and the software vendor's security settings for PDF applications. They should identify the most restrictive settings provided by both and ensure those are applied to reduce risk.
- The system administrator should configure the PDF application settings according to the compiled list of most restrictive security settings. This might involve enabling password protection, disabling features that allow documents to run scripts, and ensuring automatic updates are turned on.
- The IT team should perform regular checks to confirm that all PDF applications remain compliant with the ASD and vendor guidelines. This can be done by using a checklist to verify that the security settings have not been altered or reverted.
- Procurement officers should ensure that any new PDF software purchased allows for the configurations specified by the ASD guidelines. This includes checking compatibility with security features before purchase.
- The IT support team should provide training to staff on recognising signs of malicious PDFs, such as unexpected pop-ups or requests for sensitive information. Training sessions can include examples and quick quizzes to ensure understanding.
Audit / evidence tips
-
Askthe document that outlines the PDF application hardening settings: Request a report from the IT manager that details how the ASD and vendor guidelines are implemented
-
Askuser training records
Goodincludes dated records and feedback forms showing employee participation
-
Askto see the procurement checklist for PDF applications: It should include reviewing security feature compatibility. Successful records have descriptions of tested features and any compliance check with the ASD guidelines
Cross-framework mappings
How ISM-1860 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1860 requires hardening of PDF applications using ASD and vendor guidance, prioritising the most restrictive settings | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-AH-ML2.9 | ISM-1860 requires PDF applications to be hardened using ASD and vendor hardening guidance, applying the most restrictive guidance where c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.