Scan Software Artefacts for Malicious Content
Ensure all software artefacts are checked for harmful content before adding them to the main software source.
Plain language
Before adding any new software programs or updates to your main systems, it's crucial to check them for harmful content. If you don't, you risk introducing malicious software that could steal data, disrupt operations, or damage your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software artefactsOfficial control statement
All software artefacts are scanned for malicious content before being imported into the authoritative source for software.
Why it matters
Without scanning software artefacts, you risk allowing malware to enter your systems, which can lead to data breaches and significant business disruptions.
Operational notes
Regularly update your scanning tools and procedures to keep ahead of new threats. Maintain a consistent scanning and update schedule, reviewing any detected issues comprehensively.
Implementation tips
- IT team should establish a process to scan software artefacts: They should use reliable tools to check every piece of software, including applications, libraries, and components. Ensure all software is scanned before it's added to the main storage area.
- Procurement should ensure all third-party software is vetted: They need to insist that suppliers provide proof that their software has been scanned for malicious code. This can be done by requesting a security certification or scan report.
- System managers should conduct regular training sessions: They should educate their teams on the importance of scanning for malicious code and how to recognise harmful code indicators. Training can be incorporated into regular staff meetings or as part of the onboarding for new team members.
- Developers must integrate security checks into the development process: They should embed regular security scans in the software development lifecycle. This means using automated tools that check for vulnerabilities each time software changes are made.
- Project managers should schedule regular software audits: Set aside time every quarter to review all software in the repository and ensure it has been appropriately scanned. Coordinate with the IT team to check for documentation proving scans have been conducted and verification of the scanning tools used.
Audit / evidence tips
-
Askthe list of authorised scanning tools: Request a document detailing which tools are used for scanning software artefacts
Goodincludes up-to-date, industry-standard scanning tools recognised by agencies like the Australian Cyber Security Centre (ACSC)
-
Asklogs or reports from recent scans of software added to the repository
Goodshows a consistent record of timely scans with no unresolved issues
-
Askthird-party software validation documents: Request certificates or reports from third-party vendors confirming their software was scanned for malicious code. Check the validity and authenticity of these documents
Goodincludes up-to-date certificates that align with ongoing compliance checks
-
Aska training record on malicious code awareness: Request documentation proving personnel have been educated on spotting malicious code
Goodshows regular training sessions with full attendance or catch-up plans for absentees
-
Askminutes or notes from quarterly software audits
Goodincludes thorough checks documented with follow-up actions where needed
Cross-framework mappings
How ISM-2026 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.7 | ISM-2026 requires all software artefacts to be scanned for malicious content before they are imported into the authoritative software source | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | ISM-2026 requires scanning software artefacts for malicious code before they are imported into the authoritative software source | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-RM-ML3.2 | ISM-2026 requires all software artefacts (including compiled code, third-party libraries and components) to be scanned for malicious code... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.