Document Security Roles and Knowledge for Development
Define and document roles and skills needed for secure software development.
Plain language
This control is about making sure everyone involved in software development knows their specific security roles and has the necessary skills. It's important because if people aren't clear on their responsibilities or don't have the right knowledge, software could become vulnerable to cyber threats, leading to data breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Security roles, responsibilities and knowledge requirements required to support the software development life cycle are identified and documented.
Why it matters
Without clearly defined security roles in software development, vulnerabilities may go unnoticed, risking breaches and financial losses.
Operational notes
Review and update documented SDLC security roles and knowledge needs regularly, and maintain role-based training so developers meet the defined requirements.
Implementation tips
- The development manager should map out all the roles involved in software development and the specific security responsibilities each role holds. They can start by listing the key stages of software development and determining who is responsible for security at each stage.
- HR should ensure everyone involved in software development has the required security skills and knowledge. They can achieve this by organising training sessions or courses that cover essential security practices and documenting who has completed them.
- The IT lead should regularly review and update the security knowledge gaps among the development team. They can conduct quarterly skills assessments and schedule additional training if any gaps are identified.
- Project managers should include security role definitions and required skills in all project documentation. They should collaborate with the IT team to ensure that these roles align with the organisation's security policies and procedures.
- The compliance officer should ensure a process is in place for regularly reviewing and updating security roles and knowledge requirements in the development team. This involves setting up periodic review meetings where changes in technology or threat landscapes can be discussed and roles adjusted accordingly.
Audit / evidence tips
-
Aska document outlining the security roles in the software development lifecycle
GoodA detailed document showing all roles with corresponding responsibilities for each development stage
-
GoodUp-to-date training records or certifications for team members showing completion of security courses
-
Askthe latest skills assessment report for the development team
GoodA report detailing skills evaluations, identified gaps, and actions taken to resolve gaps
-
GoodDated meeting notes with a list of agreed updates to roles and responsibilities
-
Askthe project documentation including security roles and responsibilities. Look to see if these are consistently applied across projects
GoodDocuments showing uniform application of security roles across different projects, reviewed by the compliance officer
Cross-framework mappings
How ISM-2035 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.2 | ISM-2035 requires organisations to identify and document security roles, responsibilities and knowledge requirements specifically to supp... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 6.2 | Annex A 6.2 requires that employment contractual agreements state personnel and organisational responsibilities for information security | |
| Annex A 6.3 | ISM-2035 requires security roles, responsibilities and knowledge requirements to be identified and documented to support the software dev... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.