ISM-2026 policy ASD Information Security Manual (ISM)

Scan Software Artefacts for Malicious Content

Ensure all software artefacts are checked for harmful content before adding them to the main software source.

Preventative NC OS P ASD Information Security ManualGuidelines for software development software development malware sdlc testing March 2026 ISM Update

record_voice_over

Plain language

Before adding any new software programs or updates to your main systems, it's crucial to check them for harmful content. If you don't, you risk introducing malicious software that could steal data, disrupt operations, or damage your business's reputation.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Software artefacts

Official control statement

All software artefacts are scanned for malicious content before being imported into the authoritative source for software.

policy ASD Information Security Manual (ISM) ISM-2026

priority_high

Why it matters

Without scanning software artefacts, you risk allowing malware to enter your systems, which can lead to data breaches and significant business disruptions.

settings

Operational notes

Regularly update your scanning tools and procedures to keep ahead of new threats. Maintain a consistent scanning and update schedule, reviewing any detected issues comprehensively.

02 — Implement

build

Implementation tips

IT team should establish a process to scan software artefacts: They should use reliable tools to check every piece of software, including applications, libraries, and components. Ensure all software is scanned before it's added to the main storage area.
Procurement should ensure all third-party software is vetted: They need to insist that suppliers provide proof that their software has been scanned for malicious code. This can be done by requesting a security certification or scan report.
System managers should conduct regular training sessions: They should educate their teams on the importance of scanning for malicious code and how to recognise harmful code indicators. Training can be incorporated into regular staff meetings or as part of the onboarding for new team members.
Developers must integrate security checks into the development process: They should embed regular security scans in the software development lifecycle. This means using automated tools that check for vulnerabilities each time software changes are made.
Project managers should schedule regular software audits: Set aside time every quarter to review all software in the repository and ensure it has been appropriately scanned. Coordinate with the IT team to check for documentation proving scans have been conducted and verification of the scanning tools used.

03 — Audit

fact_check

Audit / evidence tips

AskThe list of authorised scanning tools: Request a document detailing which tools are used for scanning software artefacts GoodIncludes up-to-date, industry-standard scanning tools recognised by agencies like the Australian Cyber Security Centre (ACSC)
AskLogs or reports from recent scans of software added to the repository GoodShows a consistent record of timely scans with no unresolved issues
AskThird-party software validation documents: Request certificates or reports from third-party vendors confirming their software was scanned for malicious code. Check the validity and authenticity of these documents GoodIncludes up-to-date certificates that align with ongoing compliance checks
AskA training record on malicious code awareness: Request documentation proving personnel have been educated on spotting malicious code GoodShows regular training sessions with full attendance or catch-up plans for absentees
AskMinutes or notes from quarterly software audits GoodIncludes thorough checks documented with follow-up actions where needed

04 — Mappings

link

Cross-framework mappings

How ISM-2026 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.7	ISM-2026 requires all software artefacts to be scanned for malicious content before they are imported into the authoritative software source
sync_alt Partially overlaps (1) expand_less
Annex A 8.29	ISM-2026 requires scanning software artefacts for malicious code before they are imported into the authoritative software source

E8

Control	Notes	Details
link Related (1) expand_less
E8-RM-ML3.2	ISM-2026 requires all software artefacts (including compiled code, third-party libraries and components) to be scanned for malicious code...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.