GRCWatch
Sign inStart free trial

ISO 27001 Control 8.28: Secure Coding Principles

Insecure code is the gateway for most data breaches. ISO 27001 control 8.28 requires your development teams to embed security into every line of code they write. This control shifts your organization from fixing vulnerabilities after deployment to preventing them during development.

What this means

Control 8.28 mandates that secure coding principles be applied throughout your software development lifecycle. This means preventing common vulnerabilities including SQL injection, cross-site scripting (XSS), broken authentication, insecure deserialization, and sensitive data exposure. Your developers must follow established secure coding standards, use secure libraries and frameworks, and validate all inputs and outputs. The control covers both custom-developed software and third-party integrations your organization relies on.

How to comply

  1. 1.Establish and document secure coding standards aligned with OWASP Top 10 and relevant frameworks for your technology stack
  2. 2.Train all developers on secure coding practices including input validation, output encoding, and proper error handling
  3. 3.Implement code review processes where security experts assess code before deployment
  4. 4.Use static application security testing (SAST) tools to automatically identify vulnerabilities during development
  5. 5.Maintain a list of approved, secure libraries and frameworks; restrict use of outdated or vulnerable dependencies
  6. 6.Implement secure authentication and session management mechanisms across all applications
  7. 7.Conduct regular security testing including dynamic application security testing (DAST) and penetration testing
  8. 8.Document all secure coding policies and maintain evidence of developer training completion

Evidence auditors look for

  • Secure coding standards document specific to your technology stack with examples and requirements
  • SAST tool configuration and reports showing regular scans of source code repositories
  • Code review checklists and documented reviews demonstrating security assessment before production deployment
  • Dependency management reports showing approved libraries and vulnerability scanning results
  • Developer training records with attendance logs and assessment scores
  • DAST and penetration testing reports showing vulnerability identification and remediation
  • Change logs documenting security patches and updates to libraries and frameworks
  • Authentication and session management documentation with implementation details

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates secure coding compliance by centralizing developer training records, integrating SAST tool findings, tracking code review completions, and generating audit-ready evidence reports—eliminating manual tracking across disconnected tools.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 8.27 — Portable media controlISO 27001 8.29 — Security testing during developmentISO 27001 8.30 — Outsourced development