The basics
ISO 27001 control A.8.28 Secure coding requires companies to establish secure coding principles and apply them to software development in order to reduce security vulnerabilities in the software. This is a new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.8.28 Secure coding can be documented:
- for smaller and mid-sized companies by writing a Secure Development Policy
- for larger companies by writing a Secure Coding Policy
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.28 Secure coding you might implement the following:
- Technology — the technology to enable secure coding might include tools for maintaining an inventory of libraries, protecting the source code from tampering, logging errors and attacks, and testing; you could also use security components like authentication, encryption, etc. Small companies may use tools installed locally on their developers’ computers, while bigger companies may use centralized software that manages code security in a shared way.
- Organization/processes — you should set up a process for defining the minimum baseline of secure coding – both for internal software development and for software components from third parties, a process for monitoring emerging threats and advice on secure coding, a process for deciding which external tools and libraries can be used, and a process that defines activities done before the coding, during the coding, after the coding (review and maintenance), and for software modification. You can document those processes through a Secure Development Policy or Procedures for secure coding.
- People — make employees aware of why using secure coding principles is needed, and train them on methods and tools for secure coding.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.28 Secure coding: if principles for secure coding are integrated into the software lifecycle process.
These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.
