Document Security Duties for Software Developers
Clearly define and document what software developers must do to ensure security.
Plain language
This control means that software developers must have their security tasks clearly outlined and documented. It's important because if they don't know their security responsibilities, your software may not protect sensitive data well, which could lead to data breaches or loss of customer trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Security responsibilities for software developers are identified and documented.
Why it matters
Without documented security duties, developers may miss secure design and coding tasks, increasing vulnerabilities and risk of data breaches.
Operational notes
Document developer security duties in role descriptions/SDLC guidance, brief at onboarding, and review after tooling, stack or threat changes.
Implementation tips
- The IT manager should create a list of security responsibilities for developers. This means writing down the specific security tasks each developer is responsible for, like checking for vulnerabilities in the code before it's used.
- The software development team leader should hold a meeting to explain the documented security duties to all developers. During this meeting, ensure everyone knows their role in maintaining software security and clarify any questions.
- Human Resources (HR) should integrate these security duties into the developers' job descriptions. Update job role documents and performance reviews to include these security tasks so developers know they're a formal part of their job.
- The IT team should implement regular training sessions on software security best practices. Use resources from the Australian Cyber Security Centre (ACSC) or Australian Signals Directorate (ASD) to ensure the team stays updated on the latest security threats and methods.
- The management team should ensure developers have access to the necessary tools and resources to perform their security responsibilities. This could mean purchasing security software or enrolling staff in specialised security training courses.
Audit / evidence tips
-
Askthe document detailing developers' security responsibilities
GoodA document that lists specific tasks like code review, testing for vulnerabilities, and secure coding practices
-
Askto see developer job descriptions
GoodJob descriptions that mention specific security tasks as part of the developer's role
-
Aska record of security training sessions attended by developers
GoodRegular, up-to-date training sessions covering relevant security issues documented clearly
-
Askmeeting notes or recordings where security duties were communicated to the team
GoodNotes showing specific topics discussed and attendance by all the developers
-
Askevidence of tools or resources provided for developers to fulfil their security duties
GoodProof of recent updates on tools and completed security training sessions
Cross-framework mappings
How ISM-2036 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.2 | Annex A 6.2 requires employment contractual agreements to explicitly state information security responsibilities of personnel and the org... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | ISM-2036 requires that security responsibilities for software developers are identified and documented | |
| Annex A 6.5 | Annex A 6.5 requires organisations to define, enforce and communicate security responsibilities that continue after termination or role c... | |
| link Related (2) expand_less | ||
| Annex A 5.2 | Annex A 5.2 requires defining and allocating information security roles and responsibilities across the organisation | |
| Annex A 8.25 | Annex A 8.25 requires secure development lifecycle rules to be established and applied | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.