Maintain Developer Cyber Security Skills Register
Keep a record of software developers' cybersecurity skills and knowledge.
Plain language
This control is about keeping track of the cybersecurity skills and knowledge of the software developers in your organisation. This is important because if developers aren't up to speed on security, they might create software that is vulnerable to attacks, putting your business and customer data at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A software developer cyber security knowledge and skills register is implemented and maintained.
Why it matters
Without a developer cyber security skills register, skills gaps go unnoticed, increasing the likelihood of insecure code and missed secure development practices.
Operational notes
Maintain a central register of each developer’s cyber security skills, training and certifications, and review/update it after courses, onboarding and role changes.
Implementation tips
- HR should work with IT to create a cybersecurity skills register: This means listing all the developers and noting down their specific skills and any formal cybersecurity training they have completed.
- IT managers should regularly update the skills register: Schedule a quarterly review to ensure that any new skills or training the developers have acquired are recorded.
- Line managers should identify skill gaps and plan further training: They should review the register to spot any missing skills that are critical for security and organise relevant training sessions.
- Developers should log self-directed learning activities: Encourage developers to write down any workshops or certifications they complete independently and share these with their managers.
- Organisational leaders should review the skills register annually: A senior leader should sign off on the register each year to ensure that the organisation is maintaining strong cybersecurity capabilities.
Audit / evidence tips
- AskThe cybersecurity skills register: Request the document that lists developers' skills and training records GoodShows a regularly updated register with relevant skill entries for each developer
- AskThe schedule of skills review meetings: Ensure there's a structured plan for regular updates to the register GoodIncludes a documented schedule showing consistent updates
- AskTraining plans for developers: Request any documented plans for developer training in cybersecurity GoodLinks the training to specific needs in the register
- AskAbout self-directed learning submissions: Find out how developers report independent learning GoodIncludes records of developer-initiated learning being added to the register
- AskThe annual review sign-off: Request evidence of a senior leader's review of the register GoodDemonstrates leadership oversight and commitment to cybersecurity training
Cross-framework mappings
How ISM-2038 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.2 | ISM-2038 requires organisations to implement and maintain a register of software developers’ cyber security knowledge and skills | |
| Annex A 6.3 | ISM-2038 requires organisations to implement and maintain a register of software developers’ cyber security knowledge and skills | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 4.6 | Annex A 4.6 (ISO/IEC 42001:2023) requires the organisation to document AI-related human resources and their competencies across developme... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.