Ensure Secure Design in Virtual Server Isolation
Use isolation software from vendors that prioritise security in their design and development.
Plain language
When you're running multiple virtual servers on a single physical machine, ensuring secure design means choosing software from companies that make safety their top priority. This is crucial because poorly designed software can lead to vulnerabilities, potentially allowing hackers to access sensitive information across all the servers sharing that machine.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages or less preferably memory-safe programming practices.
Why it matters
Without a Secure-by-Design isolation layer, attackers can exploit hypervisor flaws to escape a VM and access other tenants’ data.
Operational notes
Select an isolation vendor with a proven Secure-by-Design program and evidence of memory-safe languages or practices; review patch cadence and advisories.
Implementation tips
- Procurement should evaluate software vendors: When choosing an isolation solution for virtual servers, make sure the vendor demonstrates strong security practices in their product development. Check for vendor documentation or third-party reviews that verify their commitment to 'Secure by Design.'
- IT teams should conduct thorough testing: Before deploying isolation software, carry out detailed testing in a controlled environment to assess its security features. Use scenarios that mimic real-world threats to see how well the software can protect the system.
- System owners should oversee software implementation: Collaborate with IT to ensure the new software for server isolation is configured to maximise security. Follow guidance from the software provider to apply best practices in setup.
- Managers should establish a review process: Set up regular intervals (e.g., quarterly) to review the isolation software's effectiveness and updates. This helps ensure continued protection against evolving cyber threats.
- Security officers should coordinate regular training: Provide ongoing training for staff responsible for managing virtual servers. This training should focus on the latest security techniques related to software isolation to keep their skills current.
Audit / evidence tips
- AskThe vendor's security commitment documentation: Request evidence that the software vendor is committed to security principles like 'Secure by Design.' Look at how they incorporate these principles into their design and development process GoodWould include clear references to secure development practices, either in vendor documentation or independent evaluations
- GoodIs a detailed report showing various tests conducted and vulnerabilities addressed
- AskConfiguration records: Obtain the configuration settings used for the isolation software deployed in your environment GoodShows settings that align with those recommended practices
- GoodIncludes interval reports demonstrating proactive management and updates where needed
Cross-framework mappings
How ISM-1460 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.27 | ISM-1460 requires that when an organisation uses software-based isolation to share a physical server, the isolation mechanism comes from ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.28 | ISM-1460 requires the isolation mechanism vendor to demonstrate Secure by Design/Secure by Default practices, explicitly calling out secu... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.