Ensure Input Validation and Sanitisation for Security
Software must check and clean all local network inputs to prevent security issues.
Plain language
Ensuring that all information entering your software from your local network is checked and cleaned is like making sure no mud gets on your carpet - it helps keep everything inside safe and tidy. If you skip this step, you might let in harmful data, which could lead to software crashes or even allow some malicious person to control your system.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Input HandlingOfficial control statement
Validation and sanitisation are performed on all input received over a local network by software.
Why it matters
Poor input validation and sanitisation allow attackers to execute malicious code, leading to data breaches and significant business disruption.
Operational notes
Validate and sanitise all local-network inputs using allow-lists; centralise checks at every entry point; fuzz test and log rejected or anomalous values.
Implementation tips
- IT team should identify all pathways where data enters the system from the local network. This includes things like forms on websites or data input from other software. Map out these points to ensure all are accounted for.
- System developers need to create rules for what valid input should look like. This can involve setting limits on what data is allowed, like ensuring phone numbers don't contain letters. Clearly define these rules in your software requirements.
- Software testers should routinely check that input validation is working as intended. They can do this by attempting to enter both valid and invalid data to see if the system correctly accepts or rejects it.
- Managers should ensure staff understand the importance of input validation. Conduct training sessions that explain why and how data entering the system can be dangerous if not properly checked.
- Procurement officers should ensure any software being considered for purchase includes input validation capabilities. Request this information from the vendor in clear terms and ensure it is part of the evaluation criteria during software selection.
Audit / evidence tips
- AskA list of all input points identified by the IT team
- GoodIncludes clear guidelines that cover common and uncommon input scenarios
- AskResults of testing routines from software testers
- GoodOutcome shows regular sessions with most relevant staff having attended
- AskProcurement officers for software procurement criteria documentation GoodDocument lists clear input validation as a mandatory feature in software systems
Cross-framework mappings
How ISM-2016 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-2016 requires software to validate and sanitise all inputs received over a local network | |
| Annex A 8.28 | ISM-2016 requires validation and sanitisation to be performed on all input received over a local network by software | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.