Verify Software Artefacts with Digital Signatures
Ensure all software is authenticated with a digital signature or secure hash before use.
Plain language
This control is about making sure that the software your business uses is legitimate and hasn't been tampered with. Think of it as checking the seal on a jar of jam; if you don't verify it's unbroken, you might end up with something spoiled or fake. Skipping this step could lead to malware entering your systems, resulting in data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software ArtefactsOfficial control statement
All software artefacts are verified by a digital signature, or a secure hash provided over a secure channel, before being imported into the authoritative source for software.
Why it matters
Without verifying artefacts via digital signatures or trusted hashes, malicious code can be imported into the software source, causing compromise or data loss.
Operational notes
Maintain trusted signing keys/certificates and hash sources; verify signatures or hashes before import, and quarantine/reject any artefact with mismatches.
Implementation tips
- IT team should include digital signature verification in their software procurement process. They can do this by requiring vendors to provide digital signatures with every software package. The IT team should verify these signatures against the known signatures of trusted providers before deploying the software.
- Procurement officers should request secure hashes from vendors when buying new software. To do this, write into the contract that suppliers must provide the hash through a secure email or a verified portal, and ensure it's checked by the IT department upon receipt.
- System administrators should implement tools that automatically check software signatures and hashes before installation. They can integrate these tools into the system's update process to ensure that unverified software doesn't get installed.
- Managers should run training sessions for staff who handle software to explain the importance of verifying digital signatures. This involves arranging for an IT professional to demonstrate what to check for and how often these checks should occur.
- Regularly audit the software asset register by designating an IT team member to ensure all entries have verified digital signatures. They should review this quarterly, updating the register and removing any unverified software from systems if necessary.
Audit / evidence tips
-
Aska list of all software installed within the last year along with their verification records
Goodlist will have all software documented with accompanying records showing successful verification
-
Askcontracts or purchase orders that include requirements for digital signatures or hashes
-
Goodlog will show a timeline with entries confirming each piece of software was verified before use
-
Askto see the checklist or procedure document for verifying software artefacts
Goodprocedure will have clear steps, responsible persons, and a review date
Cross-framework mappings
How ISM-2027 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| Annex A 5.19 | ISM-2027 requires cryptographic integrity/authenticity checks (signatures or secure hashes via a secure channel) for software artefacts p... | |
| Annex A 5.21 | ISM-2027 requires verification of software artefacts using digital signatures or secure hashes before they enter the organisation’s autho... | |
| Annex A 8.19 | Annex A 8.19 requires secure management of software installation, which commonly includes validating software integrity and provenance be... | |
| Annex A 8.24 | ISM-2027 mandates the use of digital signatures or secure hashes (and a secure channel) to verify software artefacts before use/import | |
| Annex A 8.26 | ISM-2027 requires that software artefacts are verified for authenticity and integrity before being imported into the authoritative source | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.