Ensure Automated Tests Are Completed Before Building
Before creating software, complete all automated tests without errors or warnings.
Plain language
Before software goes live, it's important to run tests to catch any problems or errors. This helps prevent issues that could lead to the software not working properly, risking data loss, unhappy customers, or unexpected costs in fixing things later.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Build SolutionOfficial control statement
The build solution ensures that all automated testing is completed without warnings, alerts or errors before building software artefacts.
Why it matters
Building artefacts when automated tests have warnings, alerts or failures can ship defects, causing outages, rework and security regressions.
Operational notes
Configure the build to block artefact creation unless the full automated test suite completes with zero warnings, alerts or errors; fail the pipeline on any test issue.
Implementation tips
- The IT team should set up automated testing software that runs all necessary tests whenever new software changes are made. They can use tools that automatically check for errors and send alerts if something is wrong, ensuring the team can fix issues promptly.
- Project managers should ensure that developers write proper test scripts for new features or changes. They can hold workshops to train developers on creating effective test scripts that thoroughly check for common mistakes and vulnerabilities.
- Business owners should require a test report before approving software for release. They could ask for a brief summary of test results, which shows everything was checked and passed successfully without errors.
- Developers should regularly update and maintain test scripts to include new scenarios based on customer feedback and previous issues. They can set a monthly review to add new tests, ensuring continued software performance and security.
- The IT manager should oversee a final review meeting before any software release. In this meeting, the team can confirm that all tests were completed, no issues were left unresolved, and everyone agrees the software is ready for deployment.
Audit / evidence tips
- AskAccess to the build pipeline documentation: Request details on the automated testing setup and execution process GoodShows clear documentation outlining the automated tests applied consistently
- AskRecent automated test reports: Request records of recent automated test results before a software build was approved GoodIncludes comprehensive, error-free test logs
- AskA list of resolved testing issues: Request records of any issues identified by automated tests and how they were resolved GoodDemonstrates a tracking system that promptly addresses and resolves all identified problems
- AskEvidence of testing tool maintenance: Request documentation on the updates and maintenance of testing tools GoodShows up-to-date records indicating proactive maintenance and testing tool reliability
- AskTo view the final sign-off record for software releases: Request proof of business owner sign-off after successful testing GoodEnsures sign-off was given after a thorough review of testing results
Cross-framework mappings
How ISM-2032 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.29 | ISM-2032 requires the build solution to gate software artefact creation until all automated tests complete with no warnings, alerts or er... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.