Ensure Regular Updates of Software Registers
Regularly create and update software lists for all IT equipment to ensure proper maintenance.
Plain language
Having an up-to-date list of all the software on your computers and other tech gear is like making sure your pantry is stocked with fresh ingredients. If you don't keep track of what's there and what's needed, you could run into problems, like security gaps that let in hackers or systems that suddenly crash because they aren't maintained properly.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Software registers for workstations, servers, network devices and networked IT equipment are developed, implemented, maintained and verified on a regular basis.
Why it matters
Inaccurate software registers leave systems untracked, increasing exposure to unpatched vulnerabilities, outages and unauthorised access.
Operational notes
Maintain software registers for workstations, servers and network devices; review monthly and update within 24 hours of installs/removals to keep records accurate.
Implementation tips
- The IT team should create a complete inventory of all software installed on your workstations, servers, and other networked devices. They can do this by using software asset management tools which automatically scan and list all installed applications.
- Managers should schedule regular check-ins with the IT team to ensure that the software inventory is up to date. This can be done monthly, and during these meetings, ensure there are protocols for adding new software as it gets installed.
- System owners should work with IT to remove any software that is not necessary or has reached its end of life. They should check the software inventory against current needs and licence agreements to decide what can be uninstalled.
- The procurement team should coordinate with IT to document any new software acquisitions. When purchasing new software, ensure details like licensing terms and maintenance agreements are entered into the software register.
- The IT security specialist should verify the inventory list against official security guidelines, like the Australian Cyber Security Centre's advice, to ensure no unapproved software poses a security risk. They should review this with IT every couple of months, making adjustments as needed.
Audit / evidence tips
-
Askthe latest software inventory report: Request to see the current list of all software installed across the organisation’s devices
Goodmeans the list is comprehensive and regularly updated
-
Askto see meeting notes from regular software review sessions: Request documentation of the meetings held to keep the software list current
Goodwill show regular meetings and action points followed up on
-
Askabout the process for how new software is added to the inventory
Goodwill have a simple, documented process with assigned roles
-
Asksoftware removal logs: Request to see records detailing what software has been removed and why
Goodwill show thoughtful decision-making and evidence of proper removal
-
Askevidence of checks against security guidelines
Goodwill show regular checks with issues identified and resolved
Cross-framework mappings
How ISM-1493 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires developing and maintaining an inventory of information and associated assets, including owners | |
| Annex A 8.19 | ISM-1493 requires organisations to develop, maintain and verify software registers, ensuring installed software is known and can be check... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.9 | ISM-1493 requires organisations to maintain and regularly verify software registers so they can evidence what software exists across thei... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| E8-AC-ML1.1 | ISM-1493 requires organisations to maintain and regularly verify software registers across devices, creating visibility of what executabl... | |
| E8-PO-ML1.1 | E8-PO-ML1.1 focuses on discovering assets automatically at least fortnightly to enable effective vulnerability scanning coverage | |
| E8-AC-ML3.1 | ISM-1493 requires organisations to maintain and regularly verify software registers for servers and other networked equipment, identifyin... | |
| E8-PA-ML3.3 | ISM-1493 requires organisations to maintain and verify software registers so they can reliably identify installed applications and their ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.