Using Cryptographic BOM in Software Development
Ensure imported software uses standard encryption by checking its cryptographic details.
Plain language
When you bring new software into your business, it’s important to check if it uses proper security methods to protect data. This matters because if the software's security isn't up to standard, it could lead to data breaches or other security problems, putting your business and customers at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
If a cryptographic bill of materials is available for imported third-party software components, it is used during software development to ensure such software components provide support for standardised implementations of ASD-Approved Cryptographic Algorithms.
Why it matters
Without using cryptographic BOMs for third-party components, non‑ASD-approved or weak crypto may be introduced, risking data exposure and loss of integrity.
Operational notes
When third‑party crypto BOMs exist, review them at intake and on updates to confirm only ASD‑Approved algorithms/implementations are used, and record any exceptions.
Implementation tips
- Business managers should ensure that the IT team requests a cryptographic bill of materials (CBOM) from any new software vendor. This CBOM is essentially a list detailing the encryption methods the software uses. It helps verify that the software meets Australian Government standards for data protection.
- The IT team should validate the CBOM against the Australian Signals Directorate (ASD) Approved Cryptographic Algorithms. They can do this by comparing the CBOM details with the list of approved methods available on the official ASD website, ensuring compliance.
- Procurement officers should include a requirement for a CBOM in their contracts with software vendors. They can do this by clearly specifying in the purchase contract that the vendor must provide a CBOM as part of the software delivery.
- System administrators should cross-check the provided CBOM during software installation and configuration. They should ensure that the encryption methods listed are correctly implemented in the software settings, aligning with the ASD standards.
- Business leaders should arrange for an annual review of all third-party software for compliance with cryptographic standards. They can schedule meetings with IT to ascertain that all software remains up-to-date and compliant with current ASD standards.
Audit / evidence tips
- AskThe CBOM for each imported software product: Request a document showing all cryptographic measures used by the software GoodIncludes clearly labelled methods that match ASD-Approved Cryptographic Algorithms
- GoodIs a contract signed by both parties with a CBOM requirement clause
- GoodIs a process document with specific steps and references to ASD standards
- GoodIncludes documented proof of settings that align with ASD standards
- AskMeeting minutes or reports from the annual software compliance review GoodIs a report with compliance status and action items followed up
Cross-framework mappings
How ISM-2082 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.19 | ISM-2082 requires using a CBOM for imported third-party components during development to validate cryptographic support aligns with ASD‑A... | |
| Annex A 5.21 | ISM-2082 requires developers to use a CBOM for imported third-party software components to confirm those components support standardised ... | |
| Annex A 8.24 | ISM-2082 requires using a cryptographic bill of materials (CBOM) for imported third-party components during software development to verif... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.27 | ISM-2082 requires checking imported third-party components via a CBOM to confirm they support standardised ASD‑Approved Cryptographic Alg... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.