Provide a Software Bill of Materials to Consumers
Ensure software users receive a detailed list of included software components.
Plain language
A Software Bill of Materials (SBOM) is like a list of ingredients for your software. It tells you what software components and versions are included in any application you use. This is important because knowing what’s inside can help identify potential security risks or legal issues, like if a component has vulnerabilities that need to be fixed, which could otherwise lead to hacks or data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A software bill of materials is produced and made available to consumers of software.
Why it matters
Without an SBOM, vulnerabilities in third-party components may be missed, slowing mitigation and increasing breach risk.
Operational notes
Automate SBOM generation in CI/CD and publish it with every release; keep component identifiers/versions consistent across updates.
Implementation tips
- Software developers should create and document an SBOM for each product they develop. They can do this by listing all the libraries and components they use, including open source ones, along with their versions and sources.
- Managers should ensure that the IT team regularly updates the SBOM when changes or updates are made to the software. This can be done by scheduling routine checks and updates after every major release or patch.
- The IT team should work on making the SBOM accessible to consumers, such as clients or users. This could be achieved by including it as part of the user documentation or software packaging.
- Procurement teams should request an SBOM from their software vendors before purchasing software products. This involves contacting the vendor and verifying that the SBOM includes detailed component information.
- Legal and compliance teams should review the SBOM to ensure all components comply with relevant licensing agreements. They can do this by cross-referencing components against known licence databases to spot any compliance issues.
Audit / evidence tips
- AskA copy of the SBOM for a chosen software application GoodIncludes a complete list with no omissions and accurate details
- GoodIs a recent update log with details on what was changed
- AskA demonstration of how the SBOM is provided to consumers GoodIs an accessible and user-friendly method for consumers
- GoodIncludes documented procedures adhered to by the software development team
- AskTo see the review process that checks component compliance GoodShows a systematic check, possibly using specialised software or a detailed review checklist
Cross-framework mappings
How ISM-1730 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-1730 requires that a software bill of materials (SBOM) is produced and made available to consumers of software | |
| handshake Supports (2) expand_less | ||
| Annex A 5.32 | Annex A 5.32 requires procedures to protect intellectual property rights, encompassing legal and contractual aspects related to software | |
| Annex A 8.9 | ISM-1730 requires that an SBOM is produced and made available to consumers of software | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.