Skip to content
Control Stack logo Control Stack
ISM-1422 ASD Information Security Manual (ISM)

Prevent Unauthorised Access to Software Source

Ensure only authorised users can access the main software source to keep it secure.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceAccess control

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2018

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Authoritative Source for Software
Official control statement
Unauthorised access to the authoritative source for software is prevented.

Source: ASD Information Security Manual (ISM)

Plain language

Unauthorised access to your software's main source can be a major risk because it allows outsiders to change, steal, or damage your software. This is crucial to prevent because it could lead to serious issues like financial loss, data breaches, and even loss of customer trust.

Why it matters

If access to the authoritative source is not restricted, attackers or insiders can modify code or steal IP, leading to compromised integrity, data exposure, and reputational harm.

Operational notes

Enforce least-privilege to source repos (MFA, RBAC), review access regularly, and monitor/audit commits in version control to detect and remove unauthorised changes quickly.

Implementation tips

  • System owners should ensure a list of authorised users is maintained and regularly updated. This can be done by identifying who needs access to the software's source based on their job roles and responsibilities, and ensuring only they are on this list.
  • IT teams should set up secure access controls for the software's source. This involves using strong passwords and regularly changing them, and where possible, using multi-factor authentication, which means verifying identity using more than one method.
  • Managers should train staff on the importance of access control. Organise regular sessions to educate staff about the risks of unauthorised access and how to spot suspicious activity.
  • Procurement teams should work with IT to select tools or services that monitor access to the software source. This could include setting up alerts when unusual activity is detected, so any risks are quickly addressed.
  • Security officers should regularly review and audit access logs. This involves checking who accessed the software source and when, to spot any unauthorised access attempts quickly.

Audit / evidence tips

  • Ask: the authorised user access list: Request to see the document or system record listing everyone who can access the software source

    Good: An up-to-date list signed off by management

  • Ask: access control policy: Request the document outlining access procedures to the software source

    Good: A policy document that aligns with current best practices

  • Ask: to see training records for staff: Request proof of training sessions conducted on access control importance

    Good: Documented records showing completed regular training sessions

  • Ask: monitoring and alert records: Request logs or reports on how access to the software source is monitored

    Good: A system or log showing active monitoring and timely response to alerts

  • Ask: to review recent access logs: Request logs that detail recent access events for the software source

    Good: Comprehensive logs with no unexplained anomalies in access patterns

Cross-framework mappings

How ISM-1422 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.3 ISM-1422 requires that unauthorised access to the authoritative source for software, such as the source code repository, is prevented
Annex A 8.4 ISM-1422 mandates preventing unauthorised access to the software source to protect its integrity and confidentiality
Supports (2)
Annex A 5.18 ISM-1422 depends on correctly provisioning and maintaining authorisations to the authoritative software source
Annex A 8.2 ISM-1422 necessitates preventing unauthorised access to software sources by controlling high-risk accounts

E8

Control Notes Details
Supports (1)
E8-RA-ML2.4 ISM-1422 focuses on preventing unauthorised access to software sources, including administrative access

Mapping detail

Mapping

Direction

Controls