Ensure Backwards Compatibility Doesn't Weaken Security
Make sure older software versions retain security when new updates are made.
Plain language
When software is updated, it's important to make sure that any older versions you still use aren't leaving your organisation vulnerable to cyber threats. If older versions are less secure, they can become weak spots that hackers exploit, potentially leading to data breaches or system shutdowns.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Application backwards compatibility does not compromise any security measures or features.
Why it matters
Without ensuring backwards compatibility, older software versions may bypass security controls, leaving critical systems vulnerable to attack.
Operational notes
Test legacy versions for secure operation, and disable compatibility modes that bypass key security features. Document exceptions and re-test after patches or upgrades.
Implementation tips
- The IT team should review the security features of older software versions whenever a new update is rolled out. They should compare the security measures in the new version to those in the older versions to ensure no features are lacking.
- Software developers should document the security changes made in each update. They should provide a clear list of security enhancements so the IT team can understand what might be missing in older versions.
- The system owner should regularly check which versions of the software are being used within the organisation. They should ensure that everyone has access to updated versions unless there's a necessary reason to use an older one.
- Procurement should maintain a record of all software versions in use. They need to ensure licensing and support agreements cover all versions, and that security updates are still available and applied as needed.
- Security staff should set up alerts for when older software versions are used. They can use simple system log monitors to flag outdated use, so any potential risks can be assessed and managed quickly.
Audit / evidence tips
-
Askthe software version security comparison report: Request the documentation that compares security features between different software versions
Goodincludes clear comparisons with remedial actions for any gaps found
-
Askthe update documentation list: Request the file that details all updates with their security fixes
Goodshows the security enhancements for each update and when they were deployed
-
Askversion usage records: Request a list showing which versions are currently in use within the organisation
Goodis a list with clear justifications and a plan to update where feasible
-
Asksoftware licensing agreements: Request documents supporting that older software versions are covered by licences and are still supported
Goodis a valid licence period with assurances of ongoing security support
-
Askalert records on older version usage: Request logs or records that show how alerts on old version usage are handled
Goodincludes prompt responses to alerts with documentation of actions taken
Cross-framework mappings
How ISM-2045 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.9 | ISM-2045 requires organisations to ensure backwards compatibility does not introduce security regressions or disable protections | |
| Annex A 8.19 | ISM-2045 requires organisations to prevent security controls being weakened when supporting older application versions or legacy behaviours | |
| Annex A 8.26 | ISM-2045 requires organisations to ensure that maintaining backwards compatibility in applications does not weaken existing security meas... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.