Select Vendors Committed to Secure Design for Servers
Choose server vendors who ensure secure designs and use safe programming practices.
Plain language
When choosing companies to buy your computer servers from, make sure they are serious about safety from the very start. This matters because if the computer servers are not built securely, they can be more easily hacked, which could lead to loss of customer information, downtime, or financial trouble.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Vendors that have demonstrated a commitment to Secure by Design and Secure by Default principles and practices, including secure programming practices and either memory-safe programming languages or less preferably memory-safe programming practices, are used for server applications.
Why it matters
Choosing server app vendors without Secure by Design/Default increases bug density and memory-safety flaws, enabling RCE, data loss and outages.
Operational notes
Require evidence of Secure by Design/Default (SDLC, secure coding, VDP). Prefer memory-safe languages; otherwise verify mitigations and testing for memory bugs.
Implementation tips
-
Look atvendors who follow 'Secure by Design' principles. Check vendor websites and reviews to see if they talk about security in their product descriptions
- IT teams should ask vendors about their security practices: Contact vendor representatives to learn about how they ensure their server products are secure from the start. Inquire about their use of memory-safe programming languages or techniques.
- Managers should evaluate vendor security certifications: Ensure that vendors have relevant security certifications such as ISO 27001 or attestations that show their commitment to secure designs. Request documentation or proof of certification from vendors.
- System administrators should test the security features: Once servers are purchased, they should be tested in a controlled environment to confirm advertised security features are present and working. Use tools to verify if security settings are enabled by default.
- Procurement teams should keep records of vendor assessments: Create a file or database entry for each vendor that lists their security practices, certifications, and evaluation results. This ensures there is a record to refer back to for future purchases.
Audit / evidence tips
-
Askvendor security policy documents: Request copies of vendor documentation that describe their Secure by Design and Secure by Default policies
Goodcontains detailed descriptions of how security is integrated into server design
-
Askvendor compliance reports: Request any reports that show the vendor's compliance with security standards
Goodwould show up-to-date, clean compliance reports with recognitions by third parties
-
Askto see records of vendor evaluations: Review procurement records to see the criteria used to assess server vendors
Goodmeans seeing detailed assessments focusing on security
-
Askto see server security configuration tests: Request demonstration results of security configurations on newly purchased servers
Goodshows comprehensive tests confirming security settings are as specified
-
Askto see meeting minutes from procurement discussions
Goodhas minutes showing security was a key topic of discussion with actions assigned to verify it
Cross-framework mappings
How ISM-1826 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.19 | ISM-1826 requires organisations to choose server vendors that demonstrate commitment to Secure by Design and secure programming practices... | |
| Annex A 5.21 | ISM-1826 requires organisations to select server application vendors committed to Secure by Design/Secure by Default practices, including... | |
| Annex A 5.22 | ISM-1826 requires selecting vendors whose server applications are engineered with Secure by Design/Secure by Default and strong secure pr... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.30 | ISM-1826 requires choosing server application vendors that demonstrate secure design and secure programming practices, including preferen... | |
| handshake Supports (3) expand_less | ||
| Annex A 8.25 | ISM-1826 requires selecting vendors who build server applications using Secure by Design/Secure by Default principles and secure programm... | |
| Annex A 8.27 | ISM-1826 requires the organisation to select server vendors that demonstrate Secure by Design/Secure by Default and strong secure program... | |
| Annex A 8.28 | ISM-1826 requires selecting vendors for server applications who apply secure programming practices and, preferably, use memory-safe progr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.