Apply SecDevOps for Secure Software Development
Use DevOps practices focused on security to develop software safely and securely.
Plain language
SecDevOps is about building software with security in mind right from the start. It matters because if you ignore security while developing software, you could end up with a product that easily gets hacked, which can lead to data breaches, loss of customer trust, and financial damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
SecDevOps practices are used for software development.
Why it matters
Without SecDevOps, insecure code can reach production, increasing risk of exploitable flaws, data breaches, service outages and remediation costs.
Operational notes
Embed SAST/DAST, dependency and secret scanning, plus signed builds and IaC checks into CI/CD; gate releases and fix findings early.
Implementation tips
- The IT team should integrate security steps into the existing development process. They can do this by setting security checkpoints at every stage of development, from planning to deployment, to catch and fix potential issues early on.
- Managers should ensure developers receive training on security best practices. This can be done by organising regular workshops or online courses focusing on secure coding and threat awareness.
- System owners should regularly meet with the IT team to review security requirements for new projects. During these meetings, they can discuss potential risks and document necessary security measures to address them.
- Procurement officers need to select tools that support secure development practices. They should compare tools that have built-in security features or can easily work with other security tools.
- The HR team should work on embedding a culture of security by including security awareness in job descriptions and performance reviews. Encourage staff to always consider security as a priority in their daily work.
Audit / evidence tips
- AskA SecDevOps policy document: Ensure there's a written policy specifying how security is integrated into development
- GoodShows developers are current with security training
- AskExamples of recent code reviews: Request documentation showing recent projects underwent security reviews
- AskRecords of security meetings: Ensure regular reviews are happening to discuss security concerns
Cross-framework mappings
How ISM-1780 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires that secure coding principles are applied during software development | |
| Annex A 8.29 | Annex A 8.29 requires security testing processes to be embedded in development and acceptance | |
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 8.25 | Annex A 8.25 requires organisations to establish and apply rules for secure development across the software/system lifecycle | |
| Annex A 8.27 | ISM-1780 requires organisations to implement SecDevOps practices, which typically embed secure-by-design activities early and continuousl... | |
| Annex A 8.30 | ISM-1780 requires SecDevOps practices to be used for software development, including embedding security controls into build, test, and re... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.4 | ISM-1780 requires organisations to use SecDevOps practices for secure software development, which relies on protecting the integrity of c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.