BSIMM

International

v14

4 domains

36 controls

Building Security In Maturity Model

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (4)

BSIMM Deployment (Penetration Testing, Software Environment, Config & Vulnerability Management)

10 controls

Controls in the BSIMM Deployment (Penetration Testing, Software Environment, Config & Vulnerability Management) domain of BSIMM — 10 controls
Code	Title	Description
CMVM1.1	Create or use an incident response capability for software	Config & Vulnerability Management. An incident response capability is created or used so software security incidents are...
CMVM1.2	Identify software defects found in operations and feed them back to development	Config & Vulnerability Management. Software defects found in operations monitoring are identified and fed back to develo...
CMVM1.3	Track software bugs found in operations through the fix process	Config & Vulnerability Management. Software bugs found in operations are tracked through the fix process so vulnerabilit...
CMVM3.4	Operate a bug bounty program	Config & Vulnerability Management. A bug bounty program is operated so external researchers can responsibly report vulne...
PT1.1	Use external penetration testers	Penetration Testing. External penetration testers are used so an independent assessment finds vulnerabilities before att...
PT1.2	Feed penetration test results to defect management	Penetration Testing. Penetration test results are fed into defect management so findings are tracked and fixed like othe...
PT1.3	Use penetration testing tools internally	Penetration Testing. Penetration testing tools are used internally so testing scales beyond periodic external engagement...
SE1.2	Ensure host and network security basics are in place	Software Environment. Basic host and network security (hardening, patching) is ensured so the software's operating envir...
SE1.3	Implement cloud security controls	Software Environment. Cloud security controls are implemented so cloud-hosted applications inherit a secure configuratio...
SE3.6	Enhance application inventory with an operations bill of materials	Software Environment. The application inventory is enhanced with an operations bill of materials (SBOM/OBOM) so deployed...

BSIMM Governance (Strategy & Metrics, Compliance & Policy, Training)

9 controls

Controls in the BSIMM Governance (Strategy & Metrics, Compliance & Policy, Training) domain of BSIMM — 9 controls
Code	Title	Description
CP1.1	Unify regulatory pressures	Compliance & Policy. The organisation unifies regulatory pressures into a single view so software security requirements...
CP1.2	Identify privacy (PII) obligations	Compliance & Policy. Privacy obligations and the personal data (PII) handled by software are identified so privacy requi...
CP1.3	Create software security policy	Compliance & Policy. A software security policy is created to satisfy regulatory and customer-driven security requiremen...
SM1.1	Publish process and evolve as necessary	Strategy & Metrics. The organisation publishes its software security process and evolves it as necessary, so roles, acti...
SM1.3	Educate executives on software security	Strategy & Metrics. Executives are educated on software security so they understand the risk and support the initiative...
SM1.4	Implement security checkpoints and associated governance gates	Strategy & Metrics. Security checkpoints and governance gates are implemented in the SDLC so releases require security s...
SM2.2	Enforce gates with measurements and track exceptions	Strategy & Metrics. Security gates are enforced with measurements and exceptions are tracked, so risk decisions are expl...
T1.1	Conduct software security awareness training	Training. Software security awareness training is conducted so developers and stakeholders understand secure development...
T1.7	Deliver on-demand individual training	Training. On-demand individual software security training is delivered so staff can access targeted learning when needed...

BSIMM Intelligence (Attack Models, Security Features & Design, Standards & Requirements)

8 controls

Controls in the BSIMM Intelligence (Attack Models, Security Features & Design, Standards & Requirements) domain of BSIMM — 8 controls
Code	Title	Description
AM1.2	Create a data classification scheme and inventory	Attack Models. A data classification scheme and inventory are created so the most important data and systems can be prot...
AM1.3	Identify potential attackers	Attack Models. Potential attackers and their motivations are identified so threats can be modelled realistically.
AM1.5	Gather and use attack intelligence	Attack Models. Attack intelligence is gathered and used so the organisation stays current on relevant threats and techni...
SFD1.1	Build and publish security features	Security Features & Design. Common security features (authentication, authorisation, logging, crypto) are built and publ...
SFD1.2	Engage architecture teams with security	Security Features & Design. Security engages with application architecture teams so secure design is considered from the...
SR1.1	Create security standards	Standards & Requirements. Security standards are created so teams have clear, consistent requirements to build to.
SR1.3	Translate compliance constraints to requirements	Standards & Requirements. Compliance constraints are translated into concrete software security requirements so obligati...
SR1.5	Identify open source and manage its risk	Standards & Requirements. Open source components are identified and their risk managed so known-vulnerable or non-compli...

BSIMM SSDL Touchpoints (Architecture Analysis, Code Review, Security Testing)

9 controls

Controls in the BSIMM SSDL Touchpoints (Architecture Analysis, Code Review, Security Testing) domain of BSIMM — 9 controls
Code	Title	Description
AA1.1	Perform security feature review	Architecture Analysis. A security feature review is performed so the design's security mechanisms are assessed against r...
AA1.4	Use a risk-ranking methodology for applications	Architecture Analysis. A risk-ranking methodology is used to prioritise applications for architecture analysis so effort...
AA2.1	Perform architecture analysis using STRIDE or equivalent	Architecture Analysis. Threat modelling/architecture analysis using STRIDE or an equivalent method is performed so desig...
CR1.2	Perform opportunistic code review	Code Review. Opportunistic code review is performed so security defects are found during development.
CR1.4	Use automated code review tools (SAST)	Code Review. Automated code review tools (static analysis) are used so security defects are detected at scale.
CR1.5	Make code review mandatory for all projects	Code Review. Code review is made mandatory for all projects so coverage is consistent.
ST1.1	Perform edge/boundary value condition testing	Security Testing. Edge and boundary value condition testing is performed so security-relevant input handling is exercise...
ST1.3	Drive tests with security requirements and features	Security Testing. Tests are driven by security requirements and features so testing verifies the controls that matter.
ST1.4	Integrate opportunistic security testing into the pipeline	Security Testing. Security testing tools (DAST/IAST) are integrated into the pipeline so applications are tested as they...

Maps to 1 other framework

36 total controls

NIST SP 800-218

36 source controls mapped|21 target controls covered

100%

Compare BSIMM with NIST SP 800-218

Frequently Asked Questions

What is BSIMM?

BSIMM is a compliance framework from International with 4 domains and 36 controls. Building Security In Maturity Model It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does BSIMM have?

BSIMM has 36 controls organised across 4 domains. The largest domains are BSIMM Deployment (Penetration Testing, Software Environment, Config & Vulnerability Management) (10 controls), BSIMM Governance (Strategy & Metrics, Compliance & Policy, Training) (9 controls), BSIMM SSDL Touchpoints (Architecture Analysis, Code Review, Security Testing) (9 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does BSIMM map to?

BSIMM maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-218 (100% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with BSIMM compliance?

Start your BSIMM compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about BSIMM requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 36 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required