Ensure Data Validation Before Deserialisation
Check data is correct before converting it from storage format to usable format to prevent issues.
Plain language
This control is about ensuring that any data you collect or receive is checked carefully before it's converted into a format that your computer systems use. This matters because if the data is not checked, it could contain harmful elements that might damage your systems or allow unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Input HandlingOfficial control statement
Data sources and serialised data inputs are validated before being deserialised.
Why it matters
If serialised inputs aren’t validated before deserialisation, attackers can exploit unsafe deserialisation to execute code, tamper with data, or compromise systems.
Operational notes
Validate and whitelist expected schema/types before deserialising. Reject unexpected fields/classes and use safe deserialisers with integrity checks on untrusted inputs.
Implementation tips
- System owners should identify the sources of incoming data for their applications. They can do this by listing all the external systems and users that send data and specifying the type of data they send. This helps in setting up necessary checks.
- The IT team should create rules or scripts to validate the data format when it arrives. They can do this by developing and testing scripts that check data against expected patterns or formats before any further processing.
- Managers should ensure staff are trained in data validation techniques. This can be done by organising workshops or providing simple guides that explain how to check and handle data securely.
- System owners need to implement logging for data validation activities. This involves setting up the system to keep records of all validation checks performed, which can then be reviewed if there are any issues.
- The IT team should regularly update the data validation processes to adapt to new threats. This involves reviewing validation scripts and patterns periodically to ensure they are up-to-date and effective against recent data threats.
Audit / evidence tips
-
Askthe data validation procedure documentation: Request the written process details for how data is checked before being used
Goodincludes a recent document with clear roles and step-by-step validation processes
-
Askto see the list of incoming data sources: Request the list or registry that identifies where data is coming from and its characteristics
Goodshows a regularly updated list that corresponds with current business activities
-
Askrecent logs showing data validation activity: Request logs or reports generated during data validation
Goodlogs reflecting regular checks and responses to any issues encountered
-
Askabout staff training records on data handling: Request evidence that staff have been trained on data validation practices
Goodincludes recent training sessions with high attendance and relevant content
-
Askto see updates or reviews of validation scripts: Request records of changes or improvements to validation scripts
Goodincludes scheduled reviews documented with dated changes and explanations
Cross-framework mappings
How ISM-2058 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.28 | ISM-2058 requires that data sources and serialised data inputs are validated before being deserialised to prevent malformed or malicious ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.