diff --git a/app/controllers/batch_invitation_permissions_controller.rb b/app/controllers/batch_invitation_permissions_controller.rb
index 80329c46cd..af73635c12 100644
--- a/app/controllers/batch_invitation_permissions_controller.rb
+++ b/app/controllers/batch_invitation_permissions_controller.rb
@@ -3,6 +3,7 @@ class BatchInvitationPermissionsController < ApplicationController
   before_action :authenticate_user!
   before_action :load_batch_invitation
   before_action :authorise_to_manage_permissions
+  before_action :prevent_updating
 
   helper_method :applications_and_permissions
 
@@ -29,6 +30,13 @@ def authorise_to_manage_permissions
     authorize @batch_invitation, :manage_permissions?
   end
 
+  def prevent_updating
+    if @batch_invitation.has_permissions?
+      flash[:alert] = "Permissions have already been set for this batch of users"
+      redirect_to batch_invitation_path(@batch_invitation)
+    end
+  end
+
   def grant_default_permissions(batch_invitation)
     SupportedPermission.default.each do |default_permission|
       batch_invitation.grant_permission(default_permission)
diff --git a/test/controllers/batch_invitation_permissions_controller_test.rb b/test/controllers/batch_invitation_permissions_controller_test.rb
index 714e851045..59e82e838f 100644
--- a/test/controllers/batch_invitation_permissions_controller_test.rb
+++ b/test/controllers/batch_invitation_permissions_controller_test.rb
@@ -25,6 +25,16 @@ class BatchInvitationPermissionsControllerTest < ActionController::TestCase
   end
 
   context "GET new" do
+    should "not allow access if batch invitation already has permissions" do
+      @batch_invitation.supported_permission_ids = [@app.signin_permission.id]
+      @batch_invitation.save!
+
+      get :new, params: { batch_invitation_id: @batch_invitation.id }
+
+      assert_match(/Permissions have already been set for this batch of users/, flash[:alert])
+      assert_redirected_to "/batch_invitations/#{@batch_invitation.id}"
+    end
+
     should "allow selection of application permissions to grant to users" do
       get :new, params: { batch_invitation_id: @batch_invitation.id }
 
@@ -36,6 +46,16 @@ class BatchInvitationPermissionsControllerTest < ActionController::TestCase
   end
 
   context "POST create" do
+    should "not accept submission if batch invitation already has permissions" do
+      @batch_invitation.supported_permission_ids = [@app.signin_permission.id]
+      @batch_invitation.save!
+
+      post :create, params: { batch_invitation_id: @batch_invitation.id }
+
+      assert_match(/Permissions have already been set for this batch of users/, flash[:alert])
+      assert_redirected_to "/batch_invitations/#{@batch_invitation.id}"
+    end
+
     should "grant selected permissions and default permissions to BatchInvitation" do
       support_app = create(:application, name: "Support")
       support_app.signin_permission.update!(default: true)