Ensuring Readable and Maintainable Software Architecture
Ensure that software design is clear and easy to update.
Plain language
Think of your software like a car. This control is all about making sure that your software is built in a way that's easy to understand and fix when needed. If it's a mess of wires and parts, no one will know how to repair it quickly or safely, which could lead to costly breakdowns or security issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software is architected and structured to support readability and maintainability.
Why it matters
Poor software architecture reduces readability and maintainability, increasing defect rates and the likelihood of security flaws during changes and incident fixes.
Operational notes
Use architecture and design reviews plus coding standards to keep code readable. Maintain architecture diagrams/ADRs and refactor regularly to prevent complexity and brittle components.
Implementation tips
- Managers should work with developers to establish a clear coding standard. These standards should outline how your team writes and organises code, making sure it’s simple and consistent. By having everyone on the same page, it ensures that future changes are easier and less likely to cause errors.
- The IT team should schedule regular code reviews. In these sessions, team members review each other's work to ensure that it aligns with the established coding standards. This peer review process ensures that any confusing code can be identified and improved.
- Software developers should create and maintain comprehensive documentation. This means writing down how the software is built and how different parts interact with each other in simple, understandable language. This 'map' helps anyone in the future to quickly grasp how things work.
- Project managers should plan for routine software updates. Regularly updating the software not only improves functionality and security but also ensures that any changes are well-documented and understood within the team.
- Business owners should periodically check in with the IT team to ensure that the software architecture is still aligned with business goals. This involves discussing any changes in business operations that might require adjustments to the software structure.
Audit / evidence tips
-
Askthe established coding standards document: Request a copy of the set rules and guidelines the team follows for writing code
Gooddocument is clear, accessible, and any team member should be able to follow it easily
-
Askrecords of recent code review meetings: Request minutes or records of these meetings to review what's been discussed and improved
Goodrecord shows participation and evidence of improvements made based on discussions
-
Askexamples of the software documentation: Request to see the documentation of a current software project
-
Askto see the software update schedule: Request a plan or timeline that outlines when updates are planned and what they contain
Goodschedule is regular and aligns with both new software improvements and organisational needs
-
Askevidence of feedback from non-technical stakeholders: Request any records of feedback from business managers or owners regarding software usability and goals
Goodprocess includes clear communication channels and records of action taken based on feedback
Cross-framework mappings
How ISM-2043 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-2043 requires software to be architected and structured for readability and maintainability | |
| Annex A 8.27 | ISM-2043 requires software to be architected and structured to support readability and maintainability | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.