Scan Third-Party SOEs for Malicious Code
Third-party standard operating environments must be checked for viruses and bad configurations.
Plain language
This control is about ensuring that software and systems we get from outside sources are checked for harmful code or configurations that could cause problems or expose us to cyber attacks. It's important to do this because, if missed, malicious code could harm our operations, steal data, or let outsiders access our systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
SOEs provided by third parties are scanned for malicious code and configurations.
Why it matters
Neglecting to scan third-party SOEs can introduce malware or insecure settings, leading to compromise, data breaches, and operational disruption.
Operational notes
Before deployment, scan all third-party SOE images for malware and insecure configurations; re-scan on updates and keep scan results as evidence.
Implementation tips
- The IT team should scan third-party software before it's installed on company systems. Use reliable antivirus and anti-malware tools to perform these scans. Make sure the tools are updated regularly so they can catch the latest threats.
- Procurement officers should require third-party vendors to provide documentation or certification that their software has been tested for security issues. This might involve asking vendors for security assessment reports or compliance certificates before purchase orders are approved.
- System owners should review any third-party software updates or patches before they’re applied. Collaborate with IT to test updates in a safe, separate environment (sandbox) to check for issues without affecting live systems.
- Managers should set up a procedure for reporting security concerns. Encourage staff to report suspicious behaviour related to third-party software promptly to the IT team for further investigation.
- HR should incorporate cyber security awareness training about the risks of third-party software. Ensure staff know the importance of not using unmanaged software or plugins that haven’t been properly vetted by the organisation.
Audit / evidence tips
-
Askvirus and malware scan reports for third-party software: Request documentation of scan reports detailing when and how software was checked
Goodis recent, clear reports showing no threats were detected and the software is safe
-
Askvendor security certifications or assessment reports: Request security documents provided by vendors for their software
Goodincludes up-to-date certifications from reputable organisations
-
Asklogs or records from the sandbox testing of software updates: Request documentation showing that updates were tested in a safe environment
Goodis detailed testing logs showing no issues and green light for installation
-
Askthe incident report log related to third-party software: Request access to records of any incidents linked to third-party software
Goodis a complete incident log with prompt resolutions and follow-up actions mentioned
-
Askrecords of staff training sessions related to third-party software risks: Request training attendance records and materials used
Goodis comprehensive records showing regular, relevant training sessions were conducted
Cross-framework mappings
How ISM-1608 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-1608 requires third-party standard operating environments (SOEs) to be scanned for malicious code and checked for unsafe/non-complian... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.9 | ISM-1608 requires third-party SOEs to be checked for insecure or non-compliant configurations (as well as malicious code) before they are... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | ISM-1608 requires scanning and verification of third-party SOEs for malicious code and unsafe configurations before they are introduced i... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.