Prevent Unauthorised Access to Software Source
Ensure only authorised users can access the main software source to keep it secure.
Plain language
Unauthorised access to your software's main source can be a major risk because it allows outsiders to change, steal, or damage your software. This is crucial to prevent because it could lead to serious issues like financial loss, data breaches, and even loss of customer trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Unauthorised access to the authoritative source for software is prevented.
Why it matters
If access to the authoritative source is not restricted, attackers or insiders can modify code or steal IP, leading to compromised integrity, data exposure, and reputational harm.
Operational notes
Enforce least-privilege to source repos (MFA, RBAC), review access regularly, and monitor/audit commits in version control to detect and remove unauthorised changes quickly.
Implementation tips
- System owners should ensure a list of authorised users is maintained and regularly updated. This can be done by identifying who needs access to the software's source based on their job roles and responsibilities, and ensuring only they are on this list.
- IT teams should set up secure access controls for the software's source. This involves using strong passwords and regularly changing them, and where possible, using multi-factor authentication, which means verifying identity using more than one method.
- Managers should train staff on the importance of access control. Organise regular sessions to educate staff about the risks of unauthorised access and how to spot suspicious activity.
- Procurement teams should work with IT to select tools or services that monitor access to the software source. This could include setting up alerts when unusual activity is detected, so any risks are quickly addressed.
- Security officers should regularly review and audit access logs. This involves checking who accessed the software source and when, to spot any unauthorised access attempts quickly.
Audit / evidence tips
-
Askthe authorised user access list: Request to see the document or system record listing everyone who can access the software source
GoodAn up-to-date list signed off by management
-
Askaccess control policy: Request the document outlining access procedures to the software source
GoodA policy document that aligns with current best practices
-
Askto see training records for staff: Request proof of training sessions conducted on access control importance
GoodDocumented records showing completed regular training sessions
-
Askmonitoring and alert records: Request logs or reports on how access to the software source is monitored
GoodA system or log showing active monitoring and timely response to alerts
-
Askto review recent access logs: Request logs that detail recent access events for the software source
GoodComprehensive logs with no unexplained anomalies in access patterns
Cross-framework mappings
How ISM-1422 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.3 | ISM-1422 requires that unauthorised access to the authoritative source for software, such as the source code repository, is prevented | |
| Annex A 8.4 | ISM-1422 mandates preventing unauthorised access to the software source to protect its integrity and confidentiality | |
| handshake Supports (2) expand_less | ||
| Annex A 5.18 | ISM-1422 depends on correctly provisioning and maintaining authorisations to the authoritative software source | |
| Annex A 8.2 | ISM-1422 necessitates preventing unauthorised access to software sources by controlling high-risk accounts | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.4 | ISM-1422 focuses on preventing unauthorised access to software sources, including administrative access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.