Annual Review of Standard Operating Environments
Standard Operating Environments must be reviewed and updated once every year.
Plain language
Standard Operating Environments (SOEs) are like a set of rules for the software and systems used across your organisation. This annual review is important because it ensures everything is up-to-date and secure. If these rules are outdated, your organisation could be more vulnerable to cyber attacks, resulting in data breaches or loss of important information.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
SOEs are reviewed and updated at least annually.
Why it matters
Outdated SOEs can expose systems to emerging threats, increasing the risk of breaches and compromising sensitive information.
Operational notes
Conduct an annual SOE baseline review: validate patch levels, security hardening, and approved software; document changes and re-issue the SOE.
Implementation tips
- IT managers should schedule an annual review meeting. Gather the IT team responsible for the organisation's digital infrastructure to discuss current SOEs. During the meeting, ensure the team checks for obsolete software and updates system settings to match the latest security standards.
- System administrators should list all existing systems covered under the SOE. Identify any systems that have been added or removed since the last review. This can be done by comparing current system inventories with the previous year's records.
- The IT team should engage with software vendors. Check if there are new updates or security patches available for the software currently used within the SOEs. This might involve logging into vendor portals or subscribing to update notifications.
- HR should update the roles and responsibility matrix. Ensure that the people responsible for maintaining the SOEs are still in the same roles or assign new people if roles have changed. Cross-check this matrix with the current team structure.
- The compliance officer should document the review process. Write down the steps carried out, findings from the review, and any updates applied. This documentation will serve as evidence in audits and help guide the next review cycle.
Audit / evidence tips
- AskThe current system inventory report used during the SOE review GoodReport includes all current systems with details like version numbers and last update dates
- AskRecords of communications with software vendors GoodRecord would show timely requests and updated software version numbers, indicating proactivity in maintenance
- GoodMatrix will have recent date stamps and reflect any organisational changes, ensuring role accuracy for current team members
- AskTo see the documented SOE review process
Cross-framework mappings
How ISM-1588 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1588 requires organisations to review and update Standard Operating Environments (SOEs) at least annually | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.