ISO 27001 Annex A 8.28

The most common vulnerabilities have been the same for twenty years - secure coding addresses them at source.

ISO 27001 Annex A 8.28 - Secure Coding

Secure coding is the practice that prevents the most common application vulnerabilities at source. SQL injection, cross-site scripting, insecure deserialisation, broken authentication - these have been the top of the OWASP Top 10 for years and remain the cause of most application breaches. The control asks for secure coding standards to be established and applied.

Secure coding combines several elements: training so developers recognise the patterns, standards that specify the safe approach for each language and platform, tooling that catches obvious issues automatically, and review that addresses the issues tools miss. Each contributes a different layer of protection.

Modern development practice integrates secure coding into the standard development flow. Code review picks up issues during pull requests rather than at release. Static analysis runs in the CI pipeline. Dependency scanning flags vulnerable libraries. The principles are most effective when embedded in the everyday development cycle rather than added as a separate phase.

The largest single contributor to secure coding outcomes is developer training. A team that understands SQL injection writes code that does not have it, almost without thinking about it. A team that has not been trained will reproduce the same patterns indefinitely no matter what tooling is added. The training investment pays back faster than most other security investments.

Practical Compliance Guidance

Secure coding is described in the IMS1 manual at section 8.5 alongside the Information Security Policy. Coding standards and code review records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the secure coding standards that apply. Use as the source for development security expectations.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What standards should we adopt?

OWASP guidance for web applications, language-specific secure coding guides, and any sector-specific standards (PCI DSS for payment systems). The chosen standards should be documented and reflected in code review checklists and automated tooling.

How is secure coding tested?

Through static application security testing (SAST) tools that scan source code, dynamic application security testing (DAST) tools that test running applications, software composition analysis (SCA) for dependencies, and manual code review for issues that automated tools miss. The combination is more reliable than any single technique.

What about AI-generated code?

AI coding assistants generate code that needs the same security scrutiny as human-written code, with the additional consideration that they may reproduce patterns from insecure training data. Code review and automated security testing apply equally - perhaps more strongly - to AI-assisted development.

Further Resources