Restrict Non-V3 Signed Macros in Microsoft Office
Microsoft Office can't enable macros signed with old methods via common interfaces.
Plain language
This control means that only the latest and most secure type of digital signatures, known as V3 signatures, can enable macros in Microsoft Office. This is important because older types of signatures can make it easier for harmful software to sneak in and cause problems, like stealing your data or damaging your files.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.
Why it matters
If users can enable macros signed with non‑V3 certificates via Message Bar/Backstage, malicious macros may run, causing compromise and data loss.
Operational notes
Configure Office/GPO to prevent enabling non‑V3 signed macros via Message Bar/Backstage; regularly test with sample signed macros and audit policy settings.
Implementation tips
- IT team should update Microsoft Office settings to restrict macros to only those with V3 signatures. They can do this by accessing Office's security settings and configuring it to trust only V3 signed macros.
- System owners should work with the IT team to ensure staff are trained on why only V3 signed macros are allowed. Conduct a training session explaining the dangers of enabling unverified macros and how this setting helps protect the organisation.
- Managers should verify that supplier and partner documents use V3 signatures if they require macro functionalities. Communicate with suppliers to ensure their documents comply with the V3 signature standard.
- The IT team should conduct regular checks to confirm the policy is in place across all computers. Use a central management tool to review Office settings and verify that only V3 signed macros are enabled.
- HR should incorporate macro security training into the onboarding process. Ensure new employees are aware of the importance of document security and the business's macro policies.
Audit / evidence tips
-
Askrecords of Office security configuration: Request documentation showing how Office is configured to allow only V3 signed macros
Goodis documentation that lists the V3 signature as a requirement in the Office security settings
-
Askrecords of staff who attended the macro security training
Goodincludes a complete log with all current staff names and recent training dates
-
Aska vendor compliance list: Request a list of suppliers who have been informed about V3 requirements
Goodshows that all relevant suppliers are aware of and compliant with the V3 signature requirement
-
Askdocumented evidence of checks performed on macro usage
Goodprovides logs detailing blocked attempts due to invalid signatures
-
Askan onboarding process document: Request the HR onboarding policy that includes macro security training
Goodincludes a comprehensive guide that aligns with the organisational policy on V3 macros
Cross-framework mappings
How ISM-1891 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RM-ML3.4 | E8-RM-ML3.4 requires blocking the enabling of macros when the macro is signed by an untrusted publisher via the Message Bar or Backstage ... | |
| handshake Supports (3) expand_less | ||
| E8-RM-ML1.2 | E8-RM-ML1.2 requires internet-origin Microsoft Office macros to be blocked | |
| E8-RM-ML3.1 | E8-RM-ML3.1 enforces macro execution only under trusted conditions (sandbox, Trusted Location, or trusted publisher signature) | |
| E8-RM-ML3.2 | E8-RM-ML3.2 requires that macros are checked for malicious code before being trusted via signing or Trusted Locations | |
| link Related (1) expand_less | ||
| E8-RM-ML3.5 | ISM-1891 requires that Microsoft Office macros signed with signatures other than V3 signatures cannot be enabled via the Message Bar or B... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.