Ensure Code Reviews Support Secure Design
Code reviews check if software follows secure design and programming practices.
Plain language
Code reviews make sure that the software being developed is built in a way that is secure and can protect our information. This is important because if the software has security weaknesses, it could be hacked, leading to data breaches, financial loss, and damage to our reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Code reviews are utilised to ensure software meets Secure by Design principles and practices as well as secure programming practices.
Why it matters
Without secure-by-design code reviews, insecure patterns and common coding flaws (e.g., injection, authz bypass) may ship, enabling compromise and data loss.
Operational notes
Use documented review checklists for secure-by-design and secure coding (input validation, authz, secrets, crypto use), and track/fix findings before merge.
Implementation tips
- System owners should ensure that code reviews are part of the software development process. They can do this by mandating that every change in the software includes a review step by another knowledgeable developer to catch potential security issues early.
- IT team leaders should train their developers in secure coding practices. This can be done through workshops or online courses focusing on common security pitfalls and how to avoid them during coding.
- Project managers should integrate secure design principles into project planning. They should allocate time and resources for thorough code reviews at various stages of the software development lifecycle to ensure security checks are not rushed.
- Developers should document secure design decisions during the development process. This documentation should include the reasoning behind design choices that enhance security, making it easier for reviewers to understand and validate these during code reviews.
- Security officers should periodically audit the code review process to ensure it aligns with best practices. This means checking that reviews are completed by qualified individuals and that feedback is effectively addressed by developers.
Audit / evidence tips
- AskThe code review checklists: Request the documents that team members use to ensure all security aspects are reviewed GoodA comprehensive checklist that aligns with known security standards and is regularly updated
- AskTo see examples of completed code review reports: Request reports from recent code reviews GoodReports showing detailed and security-focused feedback that has been addressed in subsequent code changes
- AskDocumentation on secure design training sessions: Request the records showing training sessions given to developers GoodRegularly conducted training sessions with documented participation and up-to-date materials
- AskTo see evidence of secure coding guidelines: Request the guidelines used by developers as part of the development process GoodClear guidelines available to all developers, reflecting the latest in security best practices
- AskSecurity officer audit reports: Request documentation showing audits of the code review process GoodDetailed audit reports highlighting strengths and weaknesses, with actionable recommendations that have been implemented
Cross-framework mappings
How ISM-2060 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-2060 requires code reviews to be utilised to confirm Secure by Design and secure programming practices are being followed | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | ISM-2060 requires code reviews to validate Secure by Design and secure programming practices in software | |
| handshake Supports (2) expand_less | ||
| Annex A 8.27 | ISM-2060 requires code reviews to check that implementations reflect Secure by Design and secure programming practices | |
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied throughout software development to prevent vulnerabilities | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.