Document and Maintain Software Security Requirements
Ensure software security needs are documented and securely kept throughout all development stages.
Plain language
This control is about making sure that the security needs of your software are carefully documented and kept safe throughout its development. If these requirements are not properly handled, there’s a risk that security weaknesses could be overlooked, leading to data breaches or other security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
All software security requirements are documented, stored securely and maintained throughout the software development life cycle.
Why it matters
Neglecting documented security requirements can lead to missed vulnerabilities, with potential exposure to data breaches or unauthorised access.
Operational notes
Regularly review and update documented security needs as the software evolves to address emerging threats and changes in context.
Implementation tips
- System owners should ensure that a comprehensive list of security requirements is created at the start of a project. This can be done by working closely with IT security specialists to understand potential risks and document the necessary protections for the software.
- IT teams should establish a secure location for storing the documented security requirements. This can involve setting up a password-protected folder on the internal network that only authorised team members can access.
- Project managers should regularly update the security requirements document throughout the software's development life cycle. They can do this by scheduling periodic review meetings with the development and IT teams to ensure the document reflects any changes or new threats.
- Managers should ensure that staff involved in software development understand the importance of maintaining these security documents. This could involve training sessions on how to recognise when updates are needed and the potential impact of outdated security requirements.
- QA teams should integrate a checklist of security requirements into their testing processes. This means that during every testing phase, the team verifies that all documented security needs are being met before the software moves to the next stage.
Audit / evidence tips
-
Askthe initial software security requirements document: Request to see the list of security needs created for the project
Goodincludes a comprehensive list that clearly outlines each security need with reasoning
-
Askrecords of updates to the security requirements: Request evidence of how the requirements document was changed over the project's life
Goodshows a living document with regular and relevant updates recorded
-
Askto see the access logs for the secure storage location of the requirements: Request access history for where the document is stored
Goodreveals only relevant personnel access the document
-
Askthe QA team for their security compliance checklist: Request the checklist used during software testing
Goodis a detailed checklist that includes all the necessary security validations
-
Askthe project manager for meeting notes or minutes from security review sessions: Request records from regular security review discussions
Goodevidences thoughtful discussion around maintaining security integrity
Cross-framework mappings
How ISM-2033 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.20 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.26 | Annex A 8.26 requires information security requirements to be identified, specified and approved when developing or acquiring applications | |
| Annex A 8.27 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.30 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| handshake Supports (5) expand_less | ||
| Annex A 5.31 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.4 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.9 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.28 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.29 | Annex A 8.29 stipulates defining and executing security testing processes within the SDLC | |
| link Related (1) expand_less | ||
| Annex A 5.8 | Annex A 5.8 requires information security to be integrated into project management so security is considered and checked throughout proje... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.