Develop Secure Configuration Guidelines for Software
Provide users with guides to securely set up software configurations.
Plain language
This control focuses on creating easy-to-follow guides for setting up software in a secure way. It's important because if software isn't configured securely, it could become an easy target for cybercriminals, leading to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Secure configuration guidance, in the form of a hardening guide or loosening guide, is produced and made available to consumers as part of software development.
Why it matters
Without a published hardening/loosening guide, consumers may deploy insecure defaults or misconfigure the software, increasing exploitable attack surface and incidents.
Operational notes
For each release, produce and publish a consumer-facing hardening/loosening guide with recommended settings, rationale, and verification steps; version and host it centrally.
Implementation tips
- The IT team should develop secure configuration guides for each software used in the organisation. Start by listing all software applications, then determine the safest settings for each. Use simple language and include screenshots where possible.
- Managers should ensure that staff are trained on how to use the configuration guides. Organise a workshop where an IT representative walks through setting up one common software using the guide. Encourage questions to ensure understanding.
- Procurement should verify that newly purchased software comes with secure configuration instructions. Before finalising a purchase, ask the vendor for their security configuration guide and review if it aligns with your internal security practices.
- The IT team should review and update the secure configuration guides regularly. Set a schedule to review guides quarterly, checking for any software updates or new security vulnerabilities, and revise the guide accordingly.
- HR should include a segment on secure software configuration in the new employee onboarding process. Create a checklist of essential softwares each new hire will use and ensure they know where to find and how to follow the configuration guides.
Audit / evidence tips
-
Askthe current list of secure configuration guides: Request a document showing all available guides for the software used by the organisation
Goodshould show recent updates and cover all key software applications
-
Askto see documentation of training sessions on secure configurations: Request records of any training sessions conducted
Goodincludes evidence of regular, well-attended training with positive feedback
-
Askvendor-supplied configuration materials: Request materials that detail secure setups provided by software vendors
Goodincludes materials that align with current software versions and organisational standards
-
Askthe procedure for updating configuration guides: Request written procedures or policies detailing how guides are updated
Goodclearly assigns accountability and describes a routine review process
-
Askonboarding materials related to software configuration: Request sections of the onboarding manual or checklist that cover software configuration
Goodincludes comprehensive and user-friendly onboarding documentation
Cross-framework mappings
How ISM-1798 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1798 requires that secure configuration guidance (hardening/loosening guides) is produced and made available to software consumers as... | |
| Annex A 8.27 | ISM-1798 requires producing and publishing secure configuration (hardening/loosening) guides as part of software development | |
| handshake Supports (2) expand_less | ||
| Annex A 8.9 | ISM-1798 requires publishing secure configuration guidance so consumers can securely configure the software | |
| Annex A 8.19 | ISM-1798 requires secure configuration guidance to be produced and made available to consumers to enable secure setup of software | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| link Related (7) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.