Select Secure-by-Design Committed Vendors
Choose vendors who prioritise secure design and development in their applications.
Plain language
Choosing the right software vendors is like picking the best insurance for your business. When you select vendors that build their products with security in mind from the ground up, you're less likely to suffer from data breaches or system failures. If a vendor doesn't prioritise secure design, you might end up with software that exposes your business to hackers, leading to data loss, financial damage, and reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages or less preferably memory-safe programming practices, are used for user applications.
Why it matters
Using vendors lacking Secure-by-Design/Default and memory safety increases exploitable flaws in user applications and likelihood of compromise.
Operational notes
Regularly assess vendor security posture: evidence of Secure-by-Design/Default practices, secure coding SDLC, and use of memory-safe languages where feasible.
Implementation tips
-
Look atthose who use programming languages known for security or who follow stringent coding practices
- IT managers should collaborate with the procurement team to set evaluation criteria for vendors. They should draft a checklist of security features and practices that vendors must meet and ensure this is part of the vendor selection process.
-
Askvendors to provide case studies or references where their secure practices have benefitted other clients
- Compliance officers should ensure contracts with vendors include clauses on security practices. This can involve reviewing legal documents to mandate that vendors adhere to secure programming standards throughout the relationship.
- IT teams should run penetration tests on applications from vendors. This involves attempting to find vulnerabilities in the software, ensuring they are quickly addressed by the vendor.
Audit / evidence tips
-
Askthe vendor evaluation report: Request documents used to assess the vendor's security practices
Gooda well-documented report showing vendors align with secure-by-design requirements
-
Askthe procurement decision criteria checklist: Review the checklist used by the procurement team
Gooda checklist that clearly benchmarks vendor practices against industry security standards
-
Askcontracts with vendors: Request the contract or agreement details which outline security practices
Gooda contract with clear terms on required secure design and practices
-
Askresults of vendor application penetration tests: Review the reports from these tests
Gooda test report showing vulnerabilities identified, fixes applied, and vendor cooperation
-
Askexamples of vendor support responses: Request evidence of vendor responses to any security incidents or queries
Gooddocumented and timely vendor responses detailing the resolution steps taken
Cross-framework mappings
How ISM-0938 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.21 | ISM-0938 focuses on choosing vendors for user applications who demonstrate Secure by Design/Secure by Default practices | |
| Annex A 8.25 | ISM-0938 requires selecting vendors whose development practices demonstrate Secure by Design/Secure by Default | |
| Annex A 8.27 | ISM-0938 seeks vendors with commitment to Secure by Design/Secure by Default, like memory safety | |
| Annex A 8.28 | ISM-0938 requires organisations to select user application vendors that demonstrate Secure by Design/Secure by Default, including secure ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.