ISM-1798 policy ASD Information Security Manual (ISM)

Develop Secure Configuration Guidelines for Software

Provide users with guides to securely set up software configurations.

Preventative NC OS P ASD Information Security ManualGuidelines for software development hardening configuration

record_voice_over

Plain language

This control focuses on creating easy-to-follow guides for setting up software in a secure way. It's important because if software isn't configured securely, it could become an easy target for cybercriminals, leading to data breaches or system failures.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2025

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Secure Software Development

Official control statement

Secure configuration guidance, in the form of a hardening guide or loosening guide, is produced and made available to consumers as part of software development.

policy ASD Information Security Manual (ISM) ISM-1798

priority_high

Why it matters

Without a published hardening/loosening guide, consumers may deploy insecure defaults or misconfigure the software, increasing exploitable attack surface and incidents.

settings

Operational notes

For each release, produce and publish a consumer-facing hardening/loosening guide with recommended settings, rationale, and verification steps; version and host it centrally.

02 - Implement

build

Implementation tips

The IT team should develop secure configuration guides for each software used in the organisation. Start by listing all software applications, then determine the safest settings for each. Use simple language and include screenshots where possible.
Managers should ensure that staff are trained on how to use the configuration guides. Organise a workshop where an IT representative walks through setting up one common software using the guide. Encourage questions to ensure understanding.
Procurement should verify that newly purchased software comes with secure configuration instructions. Before finalising a purchase, ask the vendor for their security configuration guide and review if it aligns with your internal security practices.
The IT team should review and update the secure configuration guides regularly. Set a schedule to review guides quarterly, checking for any software updates or new security vulnerabilities, and revise the guide accordingly.
HR should include a segment on secure software configuration in the new employee onboarding process. Create a checklist of essential softwares each new hire will use and ensure they know where to find and how to follow the configuration guides.

03 - Audit

fact_check

Audit / evidence tips

AskThe current list of secure configuration guides: Request a document showing all available guides for the software used by the organisation GoodShould show recent updates and cover all key software applications
AskTo see documentation of training sessions on secure configurations: Request records of any training sessions conducted GoodIncludes evidence of regular, well-attended training with positive feedback
AskVendor-supplied configuration materials: Request materials that detail secure setups provided by software vendors GoodIncludes materials that align with current software versions and organisational standards
AskThe procedure for updating configuration guides: Request written procedures or policies detailing how guides are updated GoodClearly assigns accountability and describes a routine review process
AskOnboarding materials related to software configuration: Request sections of the onboarding manual or checklist that cover software configuration GoodIncludes comprehensive and user-friendly onboarding documentation

04 - Mappings

link

Cross-framework mappings

How ISM-1798 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.25	ISM-1798 requires that secure configuration guidance (hardening/loosening guides) is produced and made available to software consumers as...
Annex A 8.27	ISM-1798 requires producing and publishing secure configuration (hardening/loosening) guides as part of software development
handshake Supports (2) expand_less
Annex A 8.9	ISM-1798 requires publishing secure configuration guidance so consumers can securely configure the software
Annex A 8.19	ISM-1798 requires secure configuration guidance to be produced and made available to consumers to enable secure setup of software

E8

Control	Notes	Details
handshake Supports (2) expand_less

E8-AH-ML2.6	E8-AH-ML2.6 requires organisations to harden office productivity suites using ASD and vendor hardening guidance, with the most restrictiv...
E8-AH-ML2.9	E8-AH-ML2.9 requires PDF software to be hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking prece...
link Related (7) expand_less

E8-AH-ML1.1	ISM-1798 requires producing and providing secure configuration guidance for consumers as part of software development
E8-AH-ML2.1	ISM-1798 requires secure configuration guidance to be produced and made available to consumers
E8-AH-ML2.5	ISM-1798 requires that secure configuration guidance is produced and made available to consumers for software
E8-AH-ML3.1	ISM-1798 requires secure configuration guidance to be produced and made available to consumers
E8-AH-ML3.2	ISM-1798 requires producing and providing secure configuration guidance (hardening/loosening) for consumers
E8-AH-ML3.3	ISM-1798 requires secure configuration guidance to be produced and shared with software consumers

E8-RA-ML3.5	ISM-1798 requires producing and publishing secure configuration guidance for software consumers

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.