Utilise Authoritative Sources in Software Development
Use only official sources for all software development tasks to ensure accuracy and reliability.
Plain language
When developing software, it’s crucial to use official and trusted sources to avoid errors and ensure safety. This is important because relying on unofficial sources can lead to software bugs, data breaches, or other technical issues that might harm your business or customer's trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
The authoritative source for software is used for all software development activities.
Why it matters
Using non-authoritative sources can introduce malicious code or defective components into builds, undermining software integrity and user trust.
Operational notes
Maintain an approved list of authoritative repositories and vendor sites, and periodically revalidate access paths, signatures and ownership to avoid compromised or stale sources.
Implementation tips
- The software development team should create a checklist of approved sources: This ensures that all members know which repositories, libraries, and tools are considered reliable and secure. They can do this by conducting research on trusted sources as recommended by the Australian Cyber Security Centre (ACSC).
- IT leaders should provide training for developers: Regularly update your team on how to identify authoritative sources. This includes recognising certificates from software vendors and understanding endorsement from trusted industry bodies.
- Procurement staff should verify software sources before purchase: They need to check that software comes from a verified vendor who follows security best practices. This can involve looking for vendor accreditations or partnerships with reputable organisations like the Australian Signals Directorate (ASD).
- Project managers should conduct regular audits: Set up periodic reviews where team members verify that the adopted software and updates come from the documented authoritative sources. Use a simple checklist to ensure compliance with the official list.
- Security officers should monitor for deviations: Implement software that alerts when non-authorised sources are used. This can involve setting filters or alerts on the company’s network to flag installations from underestimated or unknown sources.
Audit / evidence tips
-
Aska list of approved software sources: This document should detail each source considered trustworthy by the organisation
Goodconsists of a dated, detailed list with ACSC guidelines applied
-
Goodincludes a roster of trained staff and an outline of the session
-
Askprocurement records of recent software purchases: Ensure these documents indicate that only approved vendors were used
Goodprovides consistent records with authoritative source verification
-
Goodwill have clear action points for maintaining approved software sources
-
Asklogs from the software monitoring tools: Verify that these logs show alerts for any deviations from authorised sources
Goodincludes dated logs with actions taken to resolve any issues
Cross-framework mappings
How ISM-2024 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires organisations to manage access to source code, development tools and software libraries, including controlling where... | |
| Annex A 8.28 | ISM-2024 requires developers to use authoritative sources for software development activities, reducing the likelihood of tampered librar... | |
| Annex A 8.30 | ISM-2024 requires authoritative sources to be used for all software development activities, including acquisition of frameworks, librarie... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.