Ensure Macros Are Free of Malicious Code
Verify that Microsoft Office macros are safe before signing or storing them in trusted locations.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosMicrosoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that any macros used in Microsoft Office documents are safe and free from malicious code before they're trusted or shared. If we don't check these macros, we risk hackers using them to access our systems and steal sensitive information or cause other damage.
Why it matters
Unchecked Microsoft Office macros can run malicious code, enabling unauthorised access, ransomware, or data theft via trusted documents.
Operational notes
Before signing or adding to Trusted Locations, review and test Office macros; use static analysis and malware scanning, then store approved versions.
Implementation tips
- The IT team should regularly review and update the list of trusted sources for macros. They can do this by setting policies within Microsoft Office to only allow macros from verified publishers, ensuring these settings are applied across all company devices.
- Managers should educate staff about the dangers of enabling unknown macros. They can arrange training sessions explaining how to identify trustworthy macros and encourage staff to report suspicious activity.
- The IT team should use antivirus software to automatically scan macros for malicious code. This involves setting up the software to regularly check all Office documents before they’re saved or opened.
- System owners must create a policy that requires all new macros to be reviewed and approved before use. They should document this process clearly and ensure it includes steps for checking both the source and content of the macros.
- Office managers should store all approved macros in a centralised location on their secure network. This involves setting up a shared folder with restricted access, where only authorised personnel can add or modify macros.
Audit / evidence tips
-
Ask: the list of trusted macro sources used by the organisation
Good: would show recent reviews and clear reasoning for each trusted source
-
Good: includes a recent session with a list of attendees and detailed training materials
-
Ask: to see the antivirus configuration report for macro scanning
Good: will have a recent report showing that scans are up-to-date and cover all devices
-
Good: includes specific roles assigned and a recent date of policy update
-
Ask: access to the secure folder containing approved macros. Check the permissions and last modification dates
Good: shows restricted access to select personnel and recent activity logs
Cross-framework mappings
How ISM-1890 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 8.7 | Annex A 8.7 requires malware protection measures and user awareness to prevent and detect malicious code | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-RM-ML3.3 | E8-RM-ML3.3 restricts Trusted Location modifications to privileged macro verification users to prevent unauthorised placement | |
| Supports (1) | ||
| E8-RM-ML3.1 | E8-RM-ML3.1 requires macros to only execute if sandboxed, in Trusted Locations, or signed by a trusted publisher | |
| Related (1) | ||
| E8-RM-ML3.2 | E8-RM-ML3.2 requires Microsoft Office macros to be checked to ensure they are free of malicious code before they are digitally signed or ... | |