Skip to content
Control Stack logo Control Stack
ISM-2016 ASD Information Security Manual (ISM)

Ensure Input Validation and Sanitisation for Security

Software must check and clean all local network inputs to prevent security issues.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceApplication securitySecure coding

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Software Input Handling
Official control statement
Validation and sanitisation are performed on all input received over a local network by software.

Source: ASD Information Security Manual (ISM)

Plain language

Ensuring that all information entering your software from your local network is checked and cleaned is like making sure no mud gets on your carpet — it helps keep everything inside safe and tidy. If you skip this step, you might let in harmful data, which could lead to software crashes or even allow some malicious person to control your system.

Why it matters

Poor input validation and sanitisation allow attackers to execute malicious code, leading to data breaches and significant business disruption.

Operational notes

Validate and sanitise all local-network inputs using allow-lists; centralise checks at every entry point; fuzz test and log rejected or anomalous values.

Implementation tips

  • IT team should identify all pathways where data enters the system from the local network. This includes things like forms on websites or data input from other software. Map out these points to ensure all are accounted for.
  • System developers need to create rules for what valid input should look like. This can involve setting limits on what data is allowed, like ensuring phone numbers don't contain letters. Clearly define these rules in your software requirements.
  • Software testers should routinely check that input validation is working as intended. They can do this by attempting to enter both valid and invalid data to see if the system correctly accepts or rejects it.
  • Managers should ensure staff understand the importance of input validation. Conduct training sessions that explain why and how data entering the system can be dangerous if not properly checked.
  • Procurement officers should ensure any software being considered for purchase includes input validation capabilities. Request this information from the vendor in clear terms and ensure it is part of the evaluation criteria during software selection.

Audit / evidence tips

  • Ask: a list of all input points identified by the IT team

  • Good: includes clear guidelines that cover common and uncommon input scenarios

  • Ask: results of testing routines from software testers

  • Good: outcome shows regular sessions with most relevant staff having attended

  • Ask: procurement officers for software procurement criteria documentation

    Good: document lists clear input validation as a mandatory feature in software systems

Cross-framework mappings

How ISM-2016 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.25 ISM-2016 requires software to validate and sanitise all inputs received over a local network
Annex A 8.28 ISM-2016 requires validation and sanitisation to be performed on all input received over a local network by software

Mapping detail

Mapping

Direction

Controls