Conduct Security-Focused Peer Reviews on Software
Developers review important software to ensure it is secure.
Plain language
This control means that software developers need to have a close look at critical pieces of software to ensure they're safe and secure before they're used. This is important because if there are security holes or weaknesses, it could lead to bad actors accessing sensitive information or disrupting operations, which can seriously affect a business or organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software developer-supported security-focused peer reviews are conducted on all critical and security-focused software components.
Why it matters
Without security-focused peer reviews of critical components, vulnerabilities can slip into production, enabling breaches or data theft.
Operational notes
Perform developer-supported security peer reviews on all critical/security code; use a checklist and assign independent reviewers.
Implementation tips
- Development team leaders should organise regular peer review sessions for critical software. This involves scheduling a specific time for developers to come together and discuss the security aspects of the software components they’ve worked on. Ensure there is a checklist of security concerns to address during these sessions.
- Managers should identify which software components are critical and ensure they are regularly reviewed. This involves working with the development team to categorise software into 'critical' and 'non-critical' based on its role and importance in the organisation's operations.
- Project managers should assign experienced developers to review the code written by others. They should ensure that these reviewers understand what secure coding practices look like and provide them with guidelines on what to focus on during reviews.
- IT security teams should support developers by providing them with training and resources on common security vulnerabilities. Host workshops or informational sessions to familiarise developers with these concepts and make available tools that can help spot potential issues in code.
- The software development team should document their review process and findings. After each software review, ensure a summary is written down, including what was checked, who checked it, and any issues or improvements identified. This documentation should be easy to refer back to in future reviews.
Audit / evidence tips
-
Askdocumentation of the peer review process for critical software
-
Goodlist will be complete with justification for why each component is critical and evidence of review activities for each item
-
Asktraining materials or records regarding security education for developers
-
Askmeeting notes or documentation from security-focused review sessions
Goodwill include specific security issues identified and changes made as a result
-
Askto see the checklist used during security reviews
Goodchecklist will include reference to common vulnerabilities and coding practices that align with best practices
Cross-framework mappings
How ISM-2061 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.28 | ISM-2061 requires developer-supported, security-focused peer reviews to be conducted on all critical and security-relevant software compo... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.29 | ISM-2061 requires developer-supported security-focused peer reviews on critical and security-focused software components to identify secu... | |
| link Related (1) expand_less | ||
| Annex A 8.25 | Annex A 8.25 requires secure development rules to be established and applied across the lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.