Ensure Comprehensive Input Validation in Software
All software inputs must be validated and tested to prevent issues or errors.
Plain language
This control is all about ensuring that every time data is entered into a computer system, it's checked to make sure it’s safe and correct. This prevents nasty surprises like system errors or security breaches, where harmful data sneaks in and causes trouble for your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Input HandlingOfficial control statement
All input validation rules are documented, matched in code and tested with both positive and negative unit testing or integration testing.
Why it matters
Without comprehensive input validation, systems risk data corruption, unauthorised access, or downtime due to harmful data exploits.
Operational notes
Document input validation rules, ensure code matches them, and run positive/negative unit or integration tests on all input paths.
Implementation tips
- The IT team should create a detailed guide for validation rules: Document specific rules that need to be followed whenever data is entered into your software, covering things like formats, sizes, and allowable characters. Collaborate with software developers to make sure these rules are clear and practical.
- Software developers should match the input validation rules in the code: Implement the documented rules directly into the software's codebase so that each data entry point is checked according to these rules. Use coding tools and libraries designed for data validation.
- The testing team should conduct tests using various inputs: Run tests with both good and intentionally faulty data to ensure the system handles all sorts correctly. Make a checklist and keep a record of which inputs were tested and how the software responded.
- Managers should review the validation processes periodically: Set regular meetings with the IT and software teams to discuss the effectiveness of current validation rules and update them if necessary. Ensure the rules still match the business and security requirements over time.
- Train staff to understand basic validation principles: Organise workshops or briefings to explain why input validation is important and what types of data inputs are risky. Help them recognise potential issues early by giving examples of validation failures and their consequences.
Audit / evidence tips
-
Askthe input validation rules documentation: Request a complete document detailing the validation rules applied to the software
Goodis a well-organised document showing these rules in detail and how they apply to the software
-
Asktest results and reports: Request records of tests conducted with both valid and invalid data inputs
Goodincludes clear documentation of test scenarios, results, and any adjustments made
-
Askthe software's source code: Request access to the parts of the code where input validation is done
Goodshows the rules applied directly in the code and aligns with the documented rules
-
Askabout staff training sessions: Request schedules and materials used for staff training on input validation
Goodincludes attendance records and training content tailored to teach validation importance
-
Askprocedure review records: Request meeting notes or records showing regular reviews of validation rules and their effectiveness
Goodincludes action items from these reviews and dates when updates are implemented
Cross-framework mappings
How ISM-2057 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 8.25 | ISM-2057 mandates comprehensive input validation rules are documented, correctly implemented, and tested with both positive and negative ... | |
| Annex A 8.28 | ISM-2057 requires documented input validation rules that are implemented in code and verified through positive and negative unit or integ... | |
| Annex A 8.29 | ISM-2057 focuses on ensuring input validation is specified, implemented, and tested using positive and negative unit or integration tests | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.