Conduct Security-Focused Peer Reviews on Software
Developers review important software to ensure it is secure.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentSoftware developer-supported security-focused peer reviews are conducted on all critical and security-focused software components.
Source: ASD Information Security Manual (ISM)
Plain language
This control means that software developers need to have a close look at critical pieces of software to ensure they're safe and secure before they're used. This is important because if there are security holes or weaknesses, it could lead to bad actors accessing sensitive information or disrupting operations, which can seriously affect a business or organisation.
Why it matters
Without security-focused peer reviews of critical components, vulnerabilities can slip into production, enabling breaches or data theft.
Operational notes
Perform developer-supported security peer reviews on all critical/security code; use a checklist and assign independent reviewers.
Implementation tips
- Development team leaders should organise regular peer review sessions for critical software. This involves scheduling a specific time for developers to come together and discuss the security aspects of the software components they’ve worked on. Ensure there is a checklist of security concerns to address during these sessions.
- Managers should identify which software components are critical and ensure they are regularly reviewed. This involves working with the development team to categorise software into 'critical' and 'non-critical' based on its role and importance in the organisation's operations.
- Project managers should assign experienced developers to review the code written by others. They should ensure that these reviewers understand what secure coding practices look like and provide them with guidelines on what to focus on during reviews.
- IT security teams should support developers by providing them with training and resources on common security vulnerabilities. Host workshops or informational sessions to familiarise developers with these concepts and make available tools that can help spot potential issues in code.
- The software development team should document their review process and findings. After each software review, ensure a summary is written down, including what was checked, who checked it, and any issues or improvements identified. This documentation should be easy to refer back to in future reviews.
Audit / evidence tips
-
Ask: documentation of the peer review process for critical software
-
Good: list will be complete with justification for why each component is critical and evidence of review activities for each item
-
Ask: training materials or records regarding security education for developers
-
Ask: meeting notes or documentation from security-focused review sessions
Good: will include specific security issues identified and changes made as a result
-
Ask: to see the checklist used during security reviews
Good: checklist will include reference to common vulnerabilities and coding practices that align with best practices
Cross-framework mappings
How ISM-2061 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.25 | ISM-2061 mandates security-focused peer reviews for critical and security-focused components as part of development assurance | |
| Annex A 8.28 | ISM-2061 requires developer-supported, security-focused peer reviews to be conducted on all critical and security-relevant software compo... | |
| Partially overlaps (1) | ||
| Annex A 8.29 | ISM-2061 requires developer-supported security-focused peer reviews on critical and security-focused software components to identify secu... | |