ISM-2083 ASD Information Security Manual (ISM)

Provide a Cryptographic Bill of Materials to Software Users

Software producers must give users a list of all cryptographic components used in the software.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for software development cryptography software development asset management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2025

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Cryptographic Bill of Materials

Official control statement

A cryptographic bill of materials is produced and made available to consumers of software.

Source: ASD Information Security Manual (ISM)

Plain language

Think of this control like an ingredients list but for your software. Software producers need to give you a list of all the cryptographic bits and pieces used in their software. This is important because if you don't know what security measures are used, you can't properly protect your data or fix issues when something goes wrong.

Why it matters

Without a cryptographic bill of materials (CBOM), users may unknowingly rely on weak or vulnerable algorithms/libraries, increasing breach risk.

Operational notes

Publish a CBOM per release listing crypto libraries, versions, algorithms/modes and key sizes, and update it when components change or CVEs emerge.

Implementation tips

The IT team should create a comprehensive list of all cryptographic components used in the software. Begin by reviewing the software's documentation and source code for any mention of encryption or security protocols, and compile this into a document or spreadsheet.
Software developers need to regularly update the cryptographic bill of materials. They should ensure that each time there's a software update or patch, any changes to cryptographic tools are noted and the bill of materials is refreshed to reflect current usage.
The software development manager should provide this list to end-users. They can do this by including it as part of the software documentation, or making it available on a user portal where customers can easily access it.
The procurement team needs to request this document from vendors as part of the purchasing process. They should include it as a requirement in contracts and confirm it's provided before finalising any software purchase.
An IT supervisor should review the list for completeness and accuracy quarterly. They can compare the company's inventory of software against the provided bills of materials to ensure all necessary documents are accounted for and up-to-date.

Audit / evidence tips

Ask: the cryptographic bill of materials document: Ensure the document is available for each piece of software your organisation uses

Good: is a comprehensive, dated list detailing cryptographic elements for each software piece your organisation uses
Good: is a version-controlled document showing regular updates, especially after new software releases or patches
Ask: evidence of communication with users: This for example could be an email or notice regarding updates to the cryptographic bill of materials

Good: clear, consistent communications scheduled to provide users with crucial security information
Ask: procurement documentation: Ensure that all new software purchases have a requirement for a cryptographic bill of materials included in the procurement process

Good: is a set of procurement documents showing the requirement prominently and confirming receipt
Good: is a regularly updated log with dates, reviewer names, and any changes or findings noted

Cross-framework mappings

How ISM-2083 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially overlaps (1)
Annex A 8.25	ISM-2083 requires software producers to provide software users with a CBOM of cryptographic components
Supports (2)
Annex A 5.21	ISM-2083 requires software producers to provide a CBOM to software users to increase transparency of cryptographic components
Annex A 8.24	ISM-2083 requires software producers to produce and make available a cryptographic bill of materials (CBOM) listing cryptographic compone...