ISM-1730 ASD Information Security Manual (ISM)

Provide a Software Bill of Materials to Consumers

Ensure software users receive a detailed list of included software components.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for software development information sharing software development licensing supplier management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2021

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Software Bill of Materials

Official control statement

A software bill of materials is produced and made available to consumers of software.

Source: ASD Information Security Manual (ISM)

Plain language

A Software Bill of Materials (SBOM) is like a list of ingredients for your software. It tells you what software components and versions are included in any application you use. This is important because knowing what’s inside can help identify potential security risks or legal issues, like if a component has vulnerabilities that need to be fixed, which could otherwise lead to hacks or data breaches.

Why it matters

Without an SBOM, vulnerabilities in third-party components may be missed, slowing mitigation and increasing breach risk.

Operational notes

Automate SBOM generation in CI/CD and publish it with every release; keep component identifiers/versions consistent across updates.

Implementation tips

Software developers should create and document an SBOM for each product they develop. They can do this by listing all the libraries and components they use, including open source ones, along with their versions and sources.
Managers should ensure that the IT team regularly updates the SBOM when changes or updates are made to the software. This can be done by scheduling routine checks and updates after every major release or patch.
The IT team should work on making the SBOM accessible to consumers, such as clients or users. This could be achieved by including it as part of the user documentation or software packaging.
Procurement teams should request an SBOM from their software vendors before purchasing software products. This involves contacting the vendor and verifying that the SBOM includes detailed component information.
Legal and compliance teams should review the SBOM to ensure all components comply with relevant licensing agreements. They can do this by cross-referencing components against known licence databases to spot any compliance issues.

Audit / evidence tips

Ask: a copy of the SBOM for a chosen software application

Good: includes a complete list with no omissions and accurate details
Good: is a recent update log with details on what was changed
Ask: a demonstration of how the SBOM is provided to consumers

Good: is an accessible and user-friendly method for consumers
Good: includes documented procedures adhered to by the software development team
Ask: to see the review process that checks component compliance

Good: shows a systematic check, possibly using specialised software or a detailed review checklist

Cross-framework mappings

How ISM-1730 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.25	ISM-1730 requires that a software bill of materials (SBOM) is produced and made available to consumers of software
Supports (2)
Annex A 5.32	Annex A 5.32 requires procedures to protect intellectual property rights, encompassing legal and contractual aspects related to software
Annex A 8.9	ISM-1730 requires that an SBOM is produced and made available to consumers of software