Ensure Macros Are Free of Malicious Code
Verify that Microsoft Office macros are safe before signing or storing them in trusted locations.
Plain language
This control ensures that any macros used in Microsoft Office documents are safe and free from malicious code before they're trusted or shared. If we don't check these macros, we risk hackers using them to access our systems and steal sensitive information or cause other damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
Why it matters
Unchecked Microsoft Office macros can run malicious code, enabling unauthorised access, ransomware, or data theft via trusted documents.
Operational notes
Before signing or adding to Trusted Locations, review and test Office macros; use static analysis and malware scanning, then store approved versions.
Implementation tips
- The IT team should regularly review and update the list of trusted sources for macros. They can do this by setting policies within Microsoft Office to only allow macros from verified publishers, ensuring these settings are applied across all company devices.
- Managers should educate staff about the dangers of enabling unknown macros. They can arrange training sessions explaining how to identify trustworthy macros and encourage staff to report suspicious activity.
- The IT team should use antivirus software to automatically scan macros for malicious code. This involves setting up the software to regularly check all Office documents before they’re saved or opened.
- System owners must create a policy that requires all new macros to be reviewed and approved before use. They should document this process clearly and ensure it includes steps for checking both the source and content of the macros.
- Office managers should store all approved macros in a centralised location on their secure network. This involves setting up a shared folder with restricted access, where only authorised personnel can add or modify macros.
Audit / evidence tips
-
Askthe list of trusted macro sources used by the organisation
Goodwould show recent reviews and clear reasoning for each trusted source
-
Goodincludes a recent session with a list of attendees and detailed training materials
-
Askto see the antivirus configuration report for macro scanning
Goodwill have a recent report showing that scans are up-to-date and cover all devices
-
Goodincludes specific roles assigned and a recent date of policy update
-
Askaccess to the secure folder containing approved macros. Check the permissions and last modification dates
Goodshows restricted access to select personnel and recent activity logs
Cross-framework mappings
How ISM-1890 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.7 | Annex A 8.7 requires malware protection measures and user awareness to prevent and detect malicious code | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RM-ML3.3 | E8-RM-ML3.3 restricts Trusted Location modifications to privileged macro verification users to prevent unauthorised placement | |
| handshake Supports (1) expand_less | ||
| E8-RM-ML3.1 | E8-RM-ML3.1 requires macros to only execute if sandboxed, in Trusted Locations, or signed by a trusted publisher | |
| link Related (1) expand_less | ||
| E8-RM-ML3.2 | E8-RM-ML3.2 requires Microsoft Office macros to be checked to ensure they are free of malicious code before they are digitally signed or ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.