Document and Maintain Software Security Requirements
Ensure software security needs are documented and securely kept throughout all development stages.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentAll software security requirements are documented, stored securely and maintained throughout the software development life cycle.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that the security needs of your software are carefully documented and kept safe throughout its development. If these requirements are not properly handled, there’s a risk that security weaknesses could be overlooked, leading to data breaches or other security incidents.
Why it matters
Neglecting documented security requirements can lead to missed vulnerabilities, with potential exposure to data breaches or unauthorised access.
Operational notes
Regularly review and update documented security needs as the software evolves to address emerging threats and changes in context.
Implementation tips
- System owners should ensure that a comprehensive list of security requirements is created at the start of a project. This can be done by working closely with IT security specialists to understand potential risks and document the necessary protections for the software.
- IT teams should establish a secure location for storing the documented security requirements. This can involve setting up a password-protected folder on the internal network that only authorised team members can access.
- Project managers should regularly update the security requirements document throughout the software's development life cycle. They can do this by scheduling periodic review meetings with the development and IT teams to ensure the document reflects any changes or new threats.
- Managers should ensure that staff involved in software development understand the importance of maintaining these security documents. This could involve training sessions on how to recognise when updates are needed and the potential impact of outdated security requirements.
- QA teams should integrate a checklist of security requirements into their testing processes. This means that during every testing phase, the team verifies that all documented security needs are being met before the software moves to the next stage.
Audit / evidence tips
-
Ask: the initial software security requirements document: Request to see the list of security needs created for the project
Good: includes a comprehensive list that clearly outlines each security need with reasoning
-
Ask: records of updates to the security requirements: Request evidence of how the requirements document was changed over the project's life
Good: shows a living document with regular and relevant updates recorded
-
Ask: to see the access logs for the secure storage location of the requirements: Request access history for where the document is stored
Good: reveals only relevant personnel access the document
-
Ask: the QA team for their security compliance checklist: Request the checklist used during software testing
Good: is a detailed checklist that includes all the necessary security validations
-
Ask: the project manager for meeting notes or minutes from security review sessions: Request records from regular security review discussions
Good: evidences thoughtful discussion around maintaining security integrity
Cross-framework mappings
How ISM-2033 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.8 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.25 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Partially overlaps (4) | ||
| Annex A 5.20 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.26 | Annex A 8.26 requires information security requirements to be identified, specified and approved when developing or acquiring applications | |
| Annex A 8.27 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.30 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Supports (5) | ||
| Annex A 5.31 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.4 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.9 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.28 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Annex A 8.29 | Annex A 8.29 stipulates defining and executing security testing processes within the SDLC | |