Training for Secure Software Development Skills
Developers lacking cyber security skills must be trained in secure programming practices.
Plain language
In simple terms, this control is all about making sure software developers know how to build secure programs. Just like you wouldn't want an unqualified mechanic working on your car, you don't want developers who lack security training creating software that could expose your business to cyber threats. Without this training, your software could have vulnerabilities that hackers might exploit, leading to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software developers that lack sufficient cyber security knowledge and skills required for their projects or tasks undertake suitable training on secure software development and programming practices.
Why it matters
Without secure coding training, developers may introduce common flaws (e.g., injection, auth errors), enabling exploits and data breaches.
Operational notes
Assess developers’ secure coding skills per project, assign role-relevant training, and track completion/refreshers for secure programming practices.
Implementation tips
- Managers should identify which developers need training in secure software practices. This involves reviewing project roles and current skill sets to see who is working on projects that affect the security of your organisation.
- Procurement officers can select qualified training providers to deliver courses on secure software development. They should look for courses that cover common vulnerabilities and provide practical ways to write safer code.
- IT teams should schedule regular training sessions for developers, where they practice secure coding techniques. This could involve workshops with hands-on exercises to reinforce learning.
- Project leaders should create a checklist of security considerations for developers to follow during their work. This checklist might include steps to guard against common vulnerabilities or integrate security checks into their development process.
- Managers should assess the effectiveness of training by setting benchmarks for developers to meet after completing courses. They might do this by testing knowledge through quizzes or practical evaluations.
Audit / evidence tips
-
Aska list of developers who need and have received security training
-
Askthe content outlines or syllabi of the training courses provided
-
Goodoutcome shows high levels of understanding and readiness to implement learned skills
-
Askto see project documentation that includes a security checklist for developers
Cross-framework mappings
How ISM-2037 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-2037 requires that software developers who lack sufficient cyber security knowledge and skills undertake suitable training in secure ... | |
| extension Depends on (1) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied in software development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.