Digitally Sign Executable Software for Security
Executable files must have a digital signature verified by a trusted certificate to ensure security.
Plain language
This control is about ensuring that when software is developed, any files that have the ability to be executed on a computer are digitally signed. This digital signing process provides a way to confirm that the software comes from a trusted source and hasn't been tampered with. Without this, you risk running untrusted software that could harm your computers or steal sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Files containing executable content are digitally signed by a certificate with a verifiable chain of trust as part of software development.
Why it matters
Without code signing, attackers can tamper with executable files to add malware, bypass trust checks, and gain unauthorised access or steal data.
Operational notes
Use trusted code-signing certificates with a verifiable chain of trust; regularly validate certificate status/expiry and automate enforcement so only signed executables are built and deployed.
Implementation tips
- Software developers should integrate digital signing into their development process. This means ensuring that as each piece of software is being finalised, it is signed with a digital certificate that is recognised by trusted authorities. Developers can use tools like code signing software to automate this step.
- IT managers should ensure that the digital certificates used for signing are obtained from reputable Certificate Authorities (CAs). They should research and acquire certificates that are widely accepted and ensure that these certificates are kept secure and up-to-date.
- Procurement officers need to include digital signature requirements in contracts with software vendors. When purchasing software, officers should specify that all executable files must be digitally signed, and verify compliance during the procurement process.
- System administrators should regularly check that all installed software is properly signed. This can be done by using software tools to verify the digital signatures of executables and ensure that they are still valid and come from a trusted source.
- Organisation leaders should promote awareness about the importance of using digitally signed software among staff. This can be achieved through regular training sessions and by incorporating it into the organisation's cybersecurity policies.
Audit / evidence tips
-
Aska list of all digital certificates used for software signing: Review the list to ensure certificates are from reputable Certificate Authorities and are still valid
Goodincludes certificates with valid expiry dates and clear ties to trusted CAs
-
Askto see a sample of signed software: Request a demonstration of the digital signature verification process for a random executable file. Look to see if the signature shows as valid and trusted when checked
Goodshows a signature that is recognised by the system and indicates the correct issuer
-
Askthe procurement policy document: Verify the inclusion of digital signing requirements in contracts with software vendors. Check for clauses specifying digitally signed executables
Goodcontains explicit references to digital signing and compliance checks
-
Askrecords of staff cyber awareness training related to software signing: Review the training materials or attendance records to ensure the topic is covered
Goodincludes specific sessions on the importance of digital signatures and recorded completion rates
-
Askrecent audit logs or reports verifying software signatures: Look through the logs for signs of regular checks and any issues that were discovered and addressed
Goodcontains evidence of routine checks with no unsigned executables, or documented resolutions of such findings
Cross-framework mappings
How ISM-1796 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-1796 requires organisations to digitally sign files containing executable content with certificates that have a verifiable chain of t... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | ISM-1796 requires executable files to be digitally signed with a verifiable chain of trust, enabling recipients to validate software auth... | |
| extension Depends on (1) expand_less | ||
| Annex A 8.24 | ISM-1796 requires digitally signing executable content using a certificate with a verifiable chain of trust, which inherently relies on s... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RM-ML3.2 | ISM-1796 requires executable files to be digitally signed using a certificate with a verifiable chain of trust as part of software develo... | |
| handshake Supports (1) expand_less | ||
| E8-RM-ML3.1 | E8-RM-ML3.1 mandates that Office macros only execute when digitally signed by a trusted publisher (or from Trusted Location/sandbox) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.