Ensure Input Validation and Sanitisation for Internet Data
All internet-received inputs for software must be validated and cleaned to prevent security issues.
Plain language
This control is about making sure that any information your software receives from the internet is checked and cleaned up before it's used. It's crucial because if untrusted data is allowed into your system, it could lead to security breaches, where someone could steal information or damage your system.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Input HandlingOfficial control statement
Validation and sanitisation are performed on all input received over the internet by software.
Why it matters
Unchecked internet input can enable injection attacks (e.g. SQLi/XSS), causing data breaches, fraud, or service disruption.
Operational notes
Validate and sanitise all internet input server-side using allow-lists, encoding and safe parsers; add tests and monitor logs for suspicious payloads.
Implementation tips
- The IT team should implement input validation by setting up rules in the software to check that all internet data fits expected patterns before it’s used. This can be done by using built-in features of programming languages or security libraries to ensure data is safe.
- Software developers should sanitise input data by removing or altering any potentially harmful parts. They can achieve this through programming methods that strip out harmful characters or commands that could cause damage if entered into the system.
- The security manager should regularly train staff involved in software development on safe data handling practices. This includes how to identify insecure input sources and what best practices to follow to mitigate risks.
- Team leaders should integrate input validation and sanitisation checks into the development lifecycle. This involves making these steps part of the software testing phase, ensuring every new piece of code runs through these checks before it goes live.
- The IT security team should continuously monitor input validation and sanitisation processes. They can use automated tools to scan applications for vulnerabilities and report issues for quick resolution, maintaining strong security over time.
Audit / evidence tips
-
Askthe documentation of the input validation processes: Request the specific guidelines or policies developers follow for input validation
Goodshows detailed policies outlining specific validation methods used for different types of inputs
-
Goodprovides clear before-and-after data showing how input was cleaned
-
Asktraining logs: Request records showing staff training sessions on input validation and sanitisation
Goodincludes recent, detailed records showing regular training and updates aligned with current threats
-
Askdocumentation showing that input validation and sanitisation checks are part of the software testing process
Goodincludes test results verifying that all tested software versions passed input handling checks
-
Askmonitoring reports: Request reports from any tools used to monitor input validation and sanitisation efforts
Goodincludes recent reports showing active monitoring and instances where issues were detected and resolved
Cross-framework mappings
How ISM-1240 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1240 requires validation and sanitisation of all input received over the internet by software to prevent exploitation via untrusted data | |
| Annex A 8.29 | ISM-1240 requires software to validate and sanitise all internet-sourced input to reduce the likelihood of vulnerabilities such as inject... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.