Annex A 8.28 verified ISO/IEC 27001:2022
Secure Coding Practices in Software Development
Ensure software is built securely to prevent vulnerabilities.
record_voice_over
Plain language
This control is about making sure that the software your business uses or develops is built in a way that keeps it safe from hackers and glitches. If this isn’t done, your software might have weak spots that bad actors could exploit to steal your information or disrupt your operations.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Secure coding principles shall be applied to software development.
verified ISO/IEC 27001:2022 Annex A 8.28
priority_high
Why it matters
Poor secure coding increases risk of data breaches and operational disruptions due to exploitable software vulnerabilities.
settings
Operational notes
Maintain secure coding standards with peer reviews, SAST/DAST and dependency scanning; refresh secure patterns and train developers on OWASP risks.
02 — Implement
build
Implementation tips
- The IT manager should develop a secure coding policy that defines expected practices. This can be done by setting specific guidelines that all software developers must follow, which should cover both in-house and outsourced efforts. Reference standards from ISO 27002:2022 and comply with Australian privacy regulations.
- Software developers need to be trained in secure coding practices. The organisation should organise training sessions and workshops on common coding vulnerabilities and how to avoid them. Use materials from recognised sources like OWASP and ensure the training is up to date with current threats.
- Procurement teams should ensure that third-party software and open-source components align with secure coding practices. They should verify that vendors apply secure coding standards by requiring documentation or certifications. This helps to ensure that all software components used are secure and reliable.
- Project managers should implement security throughout the software development lifecycle. This means incorporating secure design, threat modelling, and regular security reviews and testing into every project stage. Use methods like static application security testing (SAST) to find vulnerabilities early.
- Executives should support a culture of continuous improvement in secure coding practices. This involves monitoring industry trends and incorporating lessons learned into coding standards and procedures. Encourage feedback loops from security incidents to refine and strengthen secure coding policies continually.
03 — Audit
fact_check
Audit / evidence tips
-
Aska copy of the organisation’s secure coding policy
-
Askrecords of developer training sessions on secure coding
-
Askto see recent security test reports from the software development process
-
Askdocumentation on third-party software assessments
-
Askto review incident response records relating to coding issues
04 — Mappings
link
Cross-framework mappings
How Annex A 8.28 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (16) expand_less | ||
| ISM-0938 | ISM-0938 requires organisations to select user application vendors that demonstrate Secure by Design/Secure by Default, including secure ... | |
| ISM-1241 | ISM-1241 requires that output encoding is performed on all output produced by web applications to prevent injection-style client-side att... | |
| ISM-1275 | ISM-1275 requires that all software-to-database queries are filtered/validated for legitimate content and correct syntax (i.e., query inp... | |
| ISM-1276 | ISM-1276 requires software to use parameterised queries or stored procedures (rather than dynamically generated queries) for database int... | |
| ISM-1278 | ISM-1278 requires software to avoid exposing database structure details through error messages | |
| ISM-1780 | Annex A 8.28 requires that secure coding principles are applied during software development | |
| ISM-1850 | ISM-1850 requires that web application development mitigates the OWASP Top 10 security risks | |
| ISM-2016 | ISM-2016 requires validation and sanitisation to be performed on all input received over a local network by software | |
| ISM-2030 | ISM-2030 requires scanning during commits to detect and block plaintext or encoded secrets/keys from being committed to the authoritative... | |
| ISM-2055 | ISM-2055 requires developers to use available build provenance for third-party components to ensure they were built to an appropriate sta... | |
| ISM-2057 | ISM-2057 requires documented input validation rules that are implemented in code and verified through positive and negative unit or integ... | |
| ISM-2058 | ISM-2058 requires that data sources and serialised data inputs are validated before being deserialised to prevent malformed or malicious ... | |
| ISM-2061 | ISM-2061 requires developer-supported, security-focused peer reviews to be conducted on all critical and security-relevant software compo... | |
| ISM-2064 | ISM-2064 requires that web application session cookies contain only digitally signed opaque bearer tokens to prevent tampering | |
| ISM-2066 | ISM-2066 requires web application sessions to be centrally managed server side to reduce risks such as session tampering and weak client-... | |
| ISM-2085 | ISM-2085 requires organisations to prevent exposing exact AI model confidence scores in APIs and user interfaces | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1460 | ISM-1460 requires the isolation mechanism vendor to demonstrate Secure by Design/Secure by Default practices, explicitly calling out secu... | |
| ISM-2041 | Annex A 8.28 requires secure coding principles to be applied across software development | |
| ISM-2042 | Annex A 8.28 requires applying secure coding principles to reduce software vulnerabilities | |
| handshake Supports (14) expand_less | ||
| ISM-0402 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities during software development | |
| ISM-0971 | Annex A 8.28 requires the application of secure coding principles in software development | |
| ISM-1238 | Annex A 8.28 requires secure coding principles to be applied to software development | |
| ISM-1239 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities | |
| ISM-1826 | ISM-1826 requires selecting vendors for server applications who apply secure programming practices and, preferably, use memory-safe progr... | |
| ISM-1849 | Annex A 8.28 requires secure coding principles to be applied to prevent vulnerabilities in developed software | |
| ISM-1851 | Annex A 8.28 requires developers to apply secure coding principles to reduce software vulnerabilities | |
| ISM-1922 | Annex A 8.28 requires secure coding principles to be applied in software development | |
| ISM-2024 | ISM-2024 requires developers to use authoritative sources for software development activities, reducing the likelihood of tampered librar... | |
| ISM-2031 | ISM-2031 requires organisations to implement and use build-tool security features (e.g | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| ISM-2059 | ISM-2059 mandates file type restriction and scanning for malicious content | |
| ISM-2060 | Annex A 8.28 requires secure coding principles to be applied throughout software development to prevent vulnerabilities | |
| ISM-2062 | ISM-2062 requires unit and integration testing (positive and negative cases) to validate code quality and security | |
| extension Depends on (2) expand_less | ||
| ISM-1924 | ISM-1924 requires organisations to build AI applications that can identify and mitigate adversarial prompt content (e.g | |
| ISM-2037 | Annex A 8.28 requires secure coding principles to be applied in software development | |
| link Related (2) expand_less | ||
| ISM-0401 | ISM-0401 demands Secure by Design practices across the entire SDLC, covering stages like design, build, test, and release | |
| ISM-2040 | Annex A 8.28 requires secure coding principles to be applied to software development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.