Choose Secure Operating System Vendors
Choose OS vendors who prioritize secure design and memory-safe languages or practices.
Plain language
When selecting an operating system for your devices, you should choose providers who put a strong emphasis on security from the ground up. This is important because if an operating system has vulnerabilities, it can be exploited by cybercriminals to access sensitive information, disrupt operations, or even damage your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages or less preferably memory-safe programming practices, are used for operating systems.
Why it matters
Choosing OS vendors committed to Secure by Design/Default and memory-safe development reduces OS flaws that enable compromise, data loss and service disruption.
Operational notes
Periodically review OS vendor Secure by Design/Default evidence, track language/memory-safety posture, and prefer vendors with secure SDLC and timely security fixes.
Implementation tips
- The procurement manager should choose operating system vendors that have a strong reputation for security. They can do this by reading up on vendor reviews and reports or consulting with cybersecurity experts to ensure the vendor uses secure programming practices.
- The IT team should evaluate operating systems for their security features before acquisition. They can conduct tests or pilot programs on a small scale to confirm the operating system uses memory-safe techniques, reducing potential security risks from software bugs.
- System administrators should follow vendor updates and security bulletins after choosing an operating system. This involves subscribing to vendor notifications to stay informed about security patches and applying them promptly to maintain system safety.
- The IT security team should establish criteria for operating system selection that includes secure design and memory-safe practices. This involves drafting a checklist of essential security features based on trusted security guidelines, such as the Australian Cyber Security Centre recommendations.
- Business owners should consult with a cybersecurity consultant periodically to reassess which operating systems are most secure. This involves scheduling annual reviews to discuss advancements in technology and whether current systems still meet security needs.
Audit / evidence tips
-
Askthe documentation detailing the criteria used for operating system selection
Goodincludes a comprehensive checklist aligned with ASD (Australian Signals Directorate) security benchmarks
-
Goods show evaluations using clear, security-focused criteria and decision justifications
-
Askrecords of operating system security updates and patches applied
Goodshows prompt application of critical patches as soon as they are available, ensuring minimal exposure to vulnerabilities
-
Gooddemonstrates regular review cycles and adjustments as required by updated security practices
-
Askthe records of consultations with cybersecurity experts or consultants
Goodincludes documentation of advice implemented to enhance operating system security
Cross-framework mappings
How ISM-1743 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.21 | ISM-1743 requires organisations to choose operating system vendors that demonstrate Secure by Design/Secure by Default practices and pref... | |
| Annex A 5.22 | ISM-1743 requires selecting operating system vendors with demonstrated Secure by Design/Secure by Default commitment, including memory-sa... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.