Choose Secure Operating System Vendors
Choose OS vendors who prioritize secure design and memory-safe languages or practices.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningVendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages or less preferably memory-safe programming practices, are used for operating systems.
Source: ASD Information Security Manual (ISM)
Plain language
When selecting an operating system for your devices, you should choose providers who put a strong emphasis on security from the ground up. This is important because if an operating system has vulnerabilities, it can be exploited by cybercriminals to access sensitive information, disrupt operations, or even damage your business's reputation.
Why it matters
Choosing OS vendors committed to Secure by Design/Default and memory-safe development reduces OS flaws that enable compromise, data loss and service disruption.
Operational notes
Periodically review OS vendor Secure by Design/Default evidence, track language/memory-safety posture, and prefer vendors with secure SDLC and timely security fixes.
Implementation tips
- The procurement manager should choose operating system vendors that have a strong reputation for security. They can do this by reading up on vendor reviews and reports or consulting with cybersecurity experts to ensure the vendor uses secure programming practices.
- The IT team should evaluate operating systems for their security features before acquisition. They can conduct tests or pilot programs on a small scale to confirm the operating system uses memory-safe techniques, reducing potential security risks from software bugs.
- System administrators should follow vendor updates and security bulletins after choosing an operating system. This involves subscribing to vendor notifications to stay informed about security patches and applying them promptly to maintain system safety.
- The IT security team should establish criteria for operating system selection that includes secure design and memory-safe practices. This involves drafting a checklist of essential security features based on trusted security guidelines, such as the Australian Cyber Security Centre recommendations.
- Business owners should consult with a cybersecurity consultant periodically to reassess which operating systems are most secure. This involves scheduling annual reviews to discuss advancements in technology and whether current systems still meet security needs.
Audit / evidence tips
-
Ask: the documentation detailing the criteria used for operating system selection
Good: includes a comprehensive checklist aligned with ASD (Australian Signals Directorate) security benchmarks
-
Good: s show evaluations using clear, security-focused criteria and decision justifications
-
Ask: records of operating system security updates and patches applied
Good: shows prompt application of critical patches as soon as they are available, ensuring minimal exposure to vulnerabilities
-
Good: demonstrates regular review cycles and adjustments as required by updated security practices
-
Ask: the records of consultations with cybersecurity experts or consultants
Good: includes documentation of advice implemented to enhance operating system security
Cross-framework mappings
How ISM-1743 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.21 | ISM-1743 requires organisations to choose operating system vendors that demonstrate Secure by Design/Secure by Default practices and pref... | |
| Annex A 5.22 | ISM-1743 requires selecting operating system vendors with demonstrated Secure by Design/Secure by Default commitment, including memory-sa... | |