Maintain a Reliable Source for Software
Ensure a trustworthy source for software is available and maintained consistently.
Plain language
This control is about making sure your organisation gets software from a reliable and trusted place. It's important because using dodgy software sources can lead to installing harmful programs, resulting in data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
An authoritative source for software is established and maintained.
Why it matters
Using untrusted software sources could introduce malware, risking data breaches, operational disruptions, and financial loss.
Operational notes
Maintain an approved software repository/vendor list; require signature/hash verification and restrict installs to these sources.
Implementation tips
- The IT team should identify and document trusted sources for all software used in the organisation. This means listing vendors and websites where software is approved to be downloaded from, and making sure this list is easily accessible.
- Procurement teams need to include checking the authorised software source list in their purchasing process. Before buying new software, they should verify it comes from one of the approved sources to prevent introducing unsafe software.
- Managers should regularly review and update the list of trusted software sources. They can set up quarterly check-ins with the IT team to make sure the list reflects any changes in software vendors or business needs.
- The IT team must educate staff on the importance of only using software from trusted sources. This can be done by running short training sessions explaining the risks of using unauthorised software and how to access the approved list.
- System owners should set up alerts or controls that notify them if software is attempted to be installed from an unapproved source. This can ensure quick action is taken to prevent a potential security incident.
Audit / evidence tips
-
Askthe list of approved software sources: Request to see the document or system that lists where software can be safely obtained. Look to ensure it's comprehensive and up-to-date
Goodis a detailed list with the date of the last review and who performed it
-
Askprocurement process records: Request documentation showing how software purchases are vetted against the approved sources list
Goodincludes records of checks and approvals for recent software acquisitions
-
Askstaff training materials: Request to see the content used to educate staff about using authorised software sources
Goodis easy-to-understand training resources used in the last 12 months
-
Askchange logs or alerts from IT systems: Request alert logs that show attempted installations from unapproved sources
Goodshows timely interventions and follow-ups
-
Askmanagement review records: Request minutes from meetings where software source lists were reviewed
Goodshows regular reviews with actionable outcomes
Cross-framework mappings
How ISM-2023 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | Annex A 8.19 requires organisations to implement controlled, secure procedures for installing software on operational systems | |
| handshake Supports (2) expand_less | ||
| Annex A 5.21 | ISM-2023 requires an organisation to establish and maintain an authoritative, trusted source for obtaining software | |
| Annex A 8.18 | Annex A 8.18 requires tight control over tools and utilities that can override system and application controls, including controlling how... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AC-ML1.1 | ISM-2023 requires an organisation to establish and maintain an authoritative, trusted source for obtaining software | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.