Using Issue Tracking for Software Development Tasks
Connect software tasks with security and change issues using an issue tracking tool.
Plain language
Using an issue tracking system in software development is crucial because it helps keep a clear record of all the changes, problems, and security concerns tied to your software. Without this, tasks can fall through the cracks, leading to unresolved security holes or changes not being properly managed, which could result in unexpected expenses or even a data breach.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Issue TrackingOfficial control statement
An issue tracking solution is used to link software development tasks to security issues and decisions, change or feature requests, programming issues, or bug fixes.
Why it matters
Without an issue tracking system, critical security flaws or required changes may be overlooked, increasing the risk of breaches and operational instability.
Operational notes
Regularly update the issue tracker to reflect task status changes and ensure all security and change issues are documented and addressed promptly.
Implementation tips
- The project manager should ensure that an issue tracking system, like Jira or Trello, is in place and set up. This involves listing all current development tasks, security issues, and change requests in the system, making sure they are visible and accessible to the whole team.
- Software developers should link each of their tasks to specific entries in the issue tracking system for any security or bug-related issue they are addressing. They can do this by referencing the issue number when logging their work on a development task.
- IT support staff should regularly review and update the status of reported issues in the tracking system. They should mark issues as resolved only after proper testing and confirmation from the team that the issue is indeed fixed.
- System owners must schedule regular meetings with the development and security teams to review the entries in the issue tracking system. They should focus on prioritising issues that could impact security or critical functionalities.
- The IT team should provide training for all staff involved in software development on how to effectively use the issue tracking system. This includes how to add new issues, update existing entries, and link relevant documents or discussions.
Audit / evidence tips
-
Askaccess to the issue tracking system: Request a demonstration of how tasks related to security and changes are logged
Gooda well-documented and updated log of issues and corresponding tasks
-
Askregular meeting documentation where issue tracking updates are discussed
Goodclear documentation outlining issue discussions and decisions made
-
Goodentries being seamlessly linked to supporting documentation
-
Askreports on issue status changes over the last few months
Goodtimely updates with logical progressions and resolutions
-
Asktraining records: Request documents showing staff training sessions related to using the issue tracking system
Goodcomprehensive training records indicating active participation and understanding
Cross-framework mappings
How ISM-2025 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.9 | ISM-2025 requires an issue tracking solution to tie development work items to security issues, decisions and change requests | |
| Annex A 8.25 | ISM-2025 requires an issue tracking solution to link software development tasks to security issues/decisions and to change, feature and d... | |
| Annex A 8.32 | ISM-2025 requires using an issue tracking tool to link development tasks to security decisions and change/feature requests | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.