Restrict Third-Party Libraries to Trustworthy Sources
Only use third-party libraries from reliable sources to ensure software security.
Plain language
This control is about ensuring that the software your business uses is safe by only including parts from reliable and trustworthy sources. If you include software components from untrustworthy sources, your systems could become vulnerable to hackers, potentially leading to data theft or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software ArtefactsOfficial control statement
The authoritative source for software restricts the use and import of third-party libraries and software components to trustworthy sources.
Why it matters
Using untrusted third-party libraries can introduce vulnerable or malicious code, enabling supply-chain compromise of applications and systems.
Operational notes
Use an allowlist of approved libraries/registries, require integrity checks (hash/signature), and review advisories/updates for each trusted source.
Implementation tips
- Procurement team should verify the reputation of third-party library sources before purchase. Check for customer reviews, history of security issues, and certifications that prove reliability.
- IT team should create a list of approved third-party library sources. Regularly update this list and ensure that every purchase checks against it to maintain software security.
- Management should establish a policy that defines what constitutes a trustworthy source for third-party libraries. Ensure that all staff involved in software acquisition and development understand and follow this guideline.
- System developers should review existing software components and ensure they come from reliable sources. Remove or replace any libraries from unapproved or questionable sources to minimise risk.
- Conduct regular training sessions for software developers to recognise trustworthy sources. Use real-world examples of good and bad sources to help them make informed decisions.
Audit / evidence tips
- AskThe list of approved third-party library sources. Look to see if it covers all software types used by the organisation GoodA well-documented list showing trusted sources and evidence it's regularly updated
- GoodA policy that aligns with security best practices and is accessible to all staff
- AskRecords of software components currently in use GoodDetailed records showing components and their verified origins
- GoodRegular, thorough training sessions documented with attendance and materials
- AskThe minutes from recent software review meetings GoodMeeting records showing active reviews and decisions on library use
Cross-framework mappings
How ISM-2029 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.22 | ISM-2029 requires restricting third-party libraries and components to trustworthy sources to reduce dependency compromise | |
| Annex A 8.29 | ISM-2029 requires that third-party libraries and components are only imported from trustworthy sources to reduce the likelihood of malici... | |
| Annex A 8.30 | ISM-2029 requires the authoritative software source to restrict third-party libraries to trustworthy sources to manage software supply-ch... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.