open it

Following the first review of the Security Standard for Add-on Marketplaces or SSAM, we worked to produce a report covering the history of the SSAM and the results of the review. This report can be accessed below. 

Read Report Read Report

About the 2021 SSAM Review

Over August and September 2021, DSPANZ held three workshops with industry and government stakeholders to review the SSAM. The review addressed the recently released version 6 of the Digital Service Provider (DSP) Operational Security Framework (OSF) and whether technical uplifts were required for the SSAM requirements. It also looked at similar security standards such as the Operational Framework for Trans-Tasman eInvoicing and Schedule 2 under the Consumer Data Right (CDR). 

It was agreed that the requirements around encryption key management and encryption in transit would be uplifted in line with the OSF requirements. Two new requirements were added to the SSAM:

  • Entity validation - if connected via API, applications can inherit or rely upon the entity validation already performed by the DSP. There is also a recommendation to collect and validate email addresses and phone numbers from users.
  • Web application firewalls - applications must use a web application firewall.

There was also interest from the add-on developers to see optional operational controls added to the SSAM. The following set of optional controls, reflecting existing ISO 27001 requirements, will be added to the SSAM for those looking to meet them. To assist with this, DSPANZ will be creating template self attestation documents for add-on developers to utilise. 

  • Information security awareness, education and training
  • Operational procedures and responsibility
  • Personnel security
  • Physical and environmental security
  • System access control
  • System acquisition, development and maintenance

The review also identified a number of areas where DSPANZ can help to clarify information on the security requirements and better support both DSPs and add-on developers / API consumers with understanding the SSAM. 

The Updated SSAM

A copy of the revised standard will be made available in early 2022. The SSAM review group will look to meet one more time in early 2022 to review the updated documentation before it is officially published. 

Have a question?

Reach out - email us at


Be the first to hear about the latest business software industry news, updates, and events.

Online Forum

Get involved in the discussion! Post your comments and have your say!

Go To Forum

Member Directory

Browse through DSPANZ Members and learn more about them here.

Browse List