Ensure Regular Updates of Software Registers
Regularly create and update software lists for all IT equipment to ensure proper maintenance.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Software registers for workstations, servers, network devices and networked IT equipment are developed, implemented, maintained and verified on a regular basis.
Source: ASD Information Security Manual (ISM)
Plain language
Having an up-to-date list of all the software on your computers and other tech gear is like making sure your pantry is stocked with fresh ingredients. If you don't keep track of what's there and what's needed, you could run into problems, like security gaps that let in hackers or systems that suddenly crash because they aren't maintained properly.
Why it matters
Inaccurate software registers leave systems untracked, increasing exposure to unpatched vulnerabilities, outages and unauthorised access.
Operational notes
Maintain software registers for workstations, servers and network devices; review monthly and update within 24 hours of installs/removals to keep records accurate.
Implementation tips
- The IT team should create a complete inventory of all software installed on your workstations, servers, and other networked devices. They can do this by using software asset management tools which automatically scan and list all installed applications.
- Managers should schedule regular check-ins with the IT team to ensure that the software inventory is up to date. This can be done monthly, and during these meetings, ensure there are protocols for adding new software as it gets installed.
- System owners should work with IT to remove any software that is not necessary or has reached its end of life. They should check the software inventory against current needs and licence agreements to decide what can be uninstalled.
- The procurement team should coordinate with IT to document any new software acquisitions. When purchasing new software, ensure details like licensing terms and maintenance agreements are entered into the software register.
- The IT security specialist should verify the inventory list against official security guidelines, like the Australian Cyber Security Centre's advice, to ensure no unapproved software poses a security risk. They should review this with IT every couple of months, making adjustments as needed.
Audit / evidence tips
-
Ask: the latest software inventory report: Request to see the current list of all software installed across the organisation’s devices
Good: means the list is comprehensive and regularly updated
-
Ask: to see meeting notes from regular software review sessions: Request documentation of the meetings held to keep the software list current
Good: will show regular meetings and action points followed up on
-
Ask: about the process for how new software is added to the inventory
Good: will have a simple, documented process with assigned roles
-
Ask: software removal logs: Request to see records detailing what software has been removed and why
Good: will show thoughtful decision-making and evidence of proper removal
-
Ask: evidence of checks against security guidelines
Good: will show regular checks with issues identified and resolved
Cross-framework mappings
How ISM-1493 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 5.9 | Annex A 5.9 requires an up-to-date inventory of information and associated assets, including owners | |
| Annex A 8.19 | ISM-1493 requires organisations to develop, maintain and verify software registers, ensuring installed software is known and can be check... | |
| Supports (1) | ||
| Annex A 8.9 | ISM-1493 requires organisations to maintain and regularly verify software registers so they can evidence what software exists across thei... | |
E8
| Control | Notes | Details |
|---|---|---|
| Supports (3) | ||
| E8-AC-ML1.1 | ISM-1493 requires organisations to maintain and regularly verify software registers across devices, creating visibility of what executabl... | |
| E8-AC-ML3.1 | ISM-1493 requires organisations to maintain and regularly verify software registers for servers and other networked equipment, identifyin... | |
| E8-PA-ML3.3 | ISM-1493 requires organisations to maintain and verify software registers so they can reliably identify installed applications and their ... | |