Ensure Backwards Compatibility Doesn't Weaken Security
Make sure older software versions retain security when new updates are made.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentApplication backwards compatibility does not compromise any security measures or features.
Source: ASD Information Security Manual (ISM)
Plain language
When software is updated, it's important to make sure that any older versions you still use aren't leaving your organisation vulnerable to cyber threats. If older versions are less secure, they can become weak spots that hackers exploit, potentially leading to data breaches or system shutdowns.
Why it matters
Without ensuring backwards compatibility, older software versions may bypass security controls, leaving critical systems vulnerable to attack.
Operational notes
Test legacy versions for secure operation, and disable compatibility modes that bypass key security features. Document exceptions and re-test after patches or upgrades.
Implementation tips
- The IT team should review the security features of older software versions whenever a new update is rolled out. They should compare the security measures in the new version to those in the older versions to ensure no features are lacking.
- Software developers should document the security changes made in each update. They should provide a clear list of security enhancements so the IT team can understand what might be missing in older versions.
- The system owner should regularly check which versions of the software are being used within the organisation. They should ensure that everyone has access to updated versions unless there's a necessary reason to use an older one.
- Procurement should maintain a record of all software versions in use. They need to ensure licensing and support agreements cover all versions, and that security updates are still available and applied as needed.
- Security staff should set up alerts for when older software versions are used. They can use simple system log monitors to flag outdated use, so any potential risks can be assessed and managed quickly.
Audit / evidence tips
-
Ask: the software version security comparison report: Request the documentation that compares security features between different software versions
Good: includes clear comparisons with remedial actions for any gaps found
-
Ask: the update documentation list: Request the file that details all updates with their security fixes
Good: shows the security enhancements for each update and when they were deployed
-
Ask: version usage records: Request a list showing which versions are currently in use within the organisation
Good: is a list with clear justifications and a plan to update where feasible
-
Ask: software licensing agreements: Request documents supporting that older software versions are covered by licences and are still supported
Good: is a valid licence period with assurances of ongoing security support
-
Ask: alert records on older version usage: Request logs or records that show how alerts on old version usage are handled
Good: includes prompt responses to alerts with documentation of actions taken
Cross-framework mappings
How ISM-2045 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (3) | ||
| Annex A 8.9 | ISM-2045 requires organisations to ensure backwards compatibility does not introduce security regressions or disable protections | |
| Annex A 8.19 | ISM-2045 requires organisations to prevent security controls being weakened when supporting older application versions or legacy behaviours | |
| Annex A 8.26 | ISM-2045 requires organisations to ensure that maintaining backwards compatibility in applications does not weaken existing security meas... | |