Management of Outsourced System Development
Ensure your organisation oversees and checks outsourced development to maintain security.
Plain language
When your organisation hires someone else to develop software systems, you must make sure they're doing it securely. If you don't watch over this process, your business could end up with software that exposes you to data leaks or cyberattacks. That's why it's important to check that the people developing your software are doing it to the right standards and securely handling any sensitive information.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall direct, monitor and review the activities related to outsourced system development.
Why it matters
Without oversight, outsourced development can introduce security flaws, leading to hidden vulnerabilities and increased supply chain risks.
Operational notes
Set security requirements in contracts, track supplier KPIs, and review deliverables (code, tests, fixes) via defined reporting and audits.
Implementation tips
- The procurement manager should set clear contractual terms for outsourced development, including security requirements. This means writing agreements that specify the need for secure design, coding, and testing based on ISO 27002:2022 guidance and relevant Australian regulations like the Privacy Act 1988.
- The IT manager should regularly monitor the outsourced development process. This can be done by scheduling frequent progress meetings and requesting evidence of testing and security practices from the developers to ensure they're following the agreed standards.
- The legal team should review licensing agreements and intellectual property rights. Ensure that the contracts give your organisation access to the source code and the right to audit the development process to protect against supplier bankruptcy.
- The compliance officer should ensure the development processes meet regulatory requirements. This involves understanding the legal obligations under Australian laws such as CPS 234 and ensuring developers adhere to them through security and performance benchmarks.
- The security team should conduct acceptance testing for deliverables before completion. Make sure to review the software for vulnerabilities and confirm all security features are functioning as intended by engaging both internal testers and independent third parties if needed.
Audit / evidence tips
-
Askthe outsourcing contract and any agreements related to security requirements
-
Askrecords of progress meetings between your organisation and the developers
Gooddocumented discussions about security and adjustments made in response to issues
-
Askthe results of security testing on the developed systems
-
Askproof of auditing rights and any audits conducted
Cross-framework mappings
How Annex A 8.30 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (9) expand_less | ||
| ISM-0401 | ISM-0401 requires embedding Secure by Design into both internal and outsourced SDLC processes | |
| ISM-0731 | Annex A 8.30 requires the organisation to direct, monitor and review outsourced system development activities so security is maintained w... | |
| ISM-1395 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development to ensure security requirements are met by extern... | |
| ISM-1452 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development, which inherently involves managing third-party d... | |
| ISM-1780 | ISM-1780 requires SecDevOps practices to be used for software development, including embedding security controls into build, test, and re... | |
| ISM-1826 | ISM-1826 requires choosing server application vendors that demonstrate secure design and secure programming practices, including preferen... | |
| ISM-2031 | ISM-2031 requires organisations to implement and use security features in compilers, interpreters and build pipelines to improve executab... | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| ISM-2087 | ISM-2087 requires the organisation to verify the source and integrity of training data used to build AI models | |
| handshake Supports (9) expand_less | ||
| ISM-0402 | ISM-0402 requires comprehensive vulnerability testing (SAST, DAST, SCA) before release and periodically to identify previously unknown vu... | |
| ISM-1239 | ISM-1239 requires robust web application frameworks to be used for secure web application development | |
| ISM-1634 | ISM-1634 requires system owners (with the authorising officer) to select and tailor an appropriate set of system security controls to mee... | |
| ISM-1738 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development activities on an ongoing basis | |
| ISM-1791 | Annex A 8.30 requires the organisation to direct, monitor and review outsourced system development activities to maintain security and qu... | |
| ISM-2024 | ISM-2024 requires authoritative sources to be used for all software development activities, including acquisition of frameworks, librarie... | |
| ISM-2029 | ISM-2029 requires the authoritative software source to restrict third-party libraries to trustworthy sources to manage software supply-ch... | |
| ISM-2039 | ISM-2039 requires continuous review of the software threat model across the SDLC so the model matches the as-built system and current thr... | |
| ISM-2086 | ISM-2086 requires that the source and integrity of AI models (including structures and weights) are verified to ensure they are authentic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.