Prevent Using Developers Without Cyber Security Skills
Ensure software developers possess the cyber security knowledge and skills required for their specific projects or tasks before they are assigned to them.
Plain language
Before letting a developer work on a project, the organisation confirms they actually understand the cyber security demands of that specific work, not just how to code. If a developer does not have the secure-coding skills the project needs, they are not put on it until the gap is closed. This stops under-skilled developers from quietly building insecure software that attackers can later exploit.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
19 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software developers that lack sufficient cyber security knowledge and skills required for their projects or tasks are not used.
Why it matters
If under-skilled developers are assigned to projects, they introduce insecure coding patterns such as missing or weak input validation, broken authentication and authorisation logic, injection-prone queries, unsafe handling of secrets, and flawed cryptography. These defects are baked into the software at build time, are expensive to remediate later, and create exploitable vulnerabilities that can lead to data compromise or system takeover. Because the gap is a skills gap, the same classes of weakness tend to recur across every project the developer touches.
Operational notes
Map the specific cyber security skills each project or task type demands (for example web app security, API authentication, cryptographic implementation, or secure handling of personal data) and match developers against that profile before assignment, not just against general coding ability. Reassess a developer's competency whenever they change role or are assigned a new project type that requires skills outside their demonstrated experience. Where a needed skill is absent, either reassign the work, pair the developer with a competent peer, or close the gap through targeted upskilling before they touch production code. Keep the assessment current as threats and the organisation's technology stack evolve, since yesterday's competent developer may lack today's required knowledge.
Implementation tips
- Define, for each project or task type the organisation undertakes, the specific cyber security skills it demands (for example input validation, secure authentication and authorisation, cryptographic implementation, secure secret handling) so assignment decisions have a concrete benchmark.
- Build and maintain a developer competency matrix that records which of those cyber security skills each developer has demonstrated, with the date and method of assessment.
- Before assigning a developer to a project, compare their recorded competencies against that project's required skills and only assign them when the required skills are met.
- Assess competency using objective evidence such as a secure-coding test, review of prior secure code, or recognised certification, rather than relying on years of experience alone.
- Reassess a developer's cyber security competency whenever they change role or are assigned a new project type that requires skills outside their demonstrated experience.
- Where a required skill is absent, withhold the assignment and close the gap first by pairing the developer with a competent peer, providing targeted upskilling, or reassigning the work to a qualified developer.
Audit / evidence tips
- Take a sample of current development projects and confirm that, for each assigned developer, there is a recorded assessment matching their cyber security skills to that project's specific requirements dated before they were assigned.
- Identify a developer who recently moved to a new project type or role and confirm their competency was reassessed against the new requirements rather than carried over unchanged.
- Pick a developer whose skills assessment flagged a gap and confirm the work was withheld, reassigned, paired, or the gap was closed before they contributed code to the project.
- Inspect the skills matrix or competency register and confirm it names the specific cyber security skills relevant to the organisation's project types, not just generic coding ability, and that entries are current.
- For an engaged contractor or external development firm, confirm the organisation verified the cyber security skills required for that specific work before the firm was used.
Cross-framework mappings
How ISM-2121 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.3 | ISM-2121 requires organisations to avoid using developers who lack sufficient cyber security knowledge and skills for the work they are a... | |
| extension Depends on (2) expand_less | ||
| Annex A 8.25 | ISM-2121 requires that only developers with sufficient cyber security skills are used on relevant projects or tasks | |
| Annex A 8.27 | ISM-2121 requires organisations not to use developers who lack the cyber security knowledge and skills required for their tasks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.