- See ISO 27002:2022 Control 8.28 for more information.
ISO 27001 Annex A 8.28: Strengthening Software Security with Secure Coding
The use of poor coding practices, such as incorrect input validation and weak key generation, can lead to cyber-attacks and the compromise of sensitive information assets.
For this reason, hackers exploited the infamous Heartbleed bug to access more than 4 million patient records.
To prevent security vulnerabilities, organisations need to follow secure coding principles.
What Is The Purpose of ISO 27001:2022 Annex A 8.28?
Per ISO 27001:2022, Annex A Control 8.28 assists organisations in preventing security risks and vulnerabilities that may arise due to poor software coding practices through developing, implementing, and reviewing appropriate secure software coding practices.
Who Has Ownership of Annex A 8.28?
A chief information security officer should be responsible for taking appropriate steps to ensure compliance with 8.28, which requires developing and implementing secure coding principles and procedures throughout the organisation.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Compliance Guidelines on ISO 27001:2022 Annex A 8.28
Organisations must develop and implement secure coding processes that apply to products supplied by external parties and open-source software components, as outlined in ISO 27001 Annex A Control 8.28.
In addition, organisations should remain informed about evolving real-world security threats and the latest information on known or potential software security vulnerabilities. By using this approach, organisations can develop robust, secure coding principles to combat evolving cyber threats.
Supplementary Guidance on Planning
It is essential that both new coding projects and software reuse operations adhere to secure software coding principles.
These principles should be adhered to both when developing software internally and when transferring software products or services.
Organisations should consider the following factors when developing a plan for secure coding principles and determining prerequisites for secure coding:
- Security expectations should be tailored to the organisation’s specific needs, and approved principles for secure software code should be established to apply to in-house software development and outsourced components.
- Organisations should identify and document the most prevalent and historical coding design mistakes and poor coding practices to prevent data security breaches.
- Organisations should implement and configure software development tools to ensure the security of all code created. Integrated development environments (IDEs) are an example of such tools.
- Software development tools should provide guidance and instructions to assist organisations in complying with the guidelines and instructions.
- Developing tools such as compilers should be reviewed, maintained, and used securely by organisations.
Supplementary Guidance on Security During Coding
To ensure secure coding practices and procedures, the following should be considered during the coding process:
- Coding principles for secure software should be tailored to each programming language and technique.
- Test-driven development and pair programming are examples of secure programming techniques and methods.
- Implementation of structured programming techniques.
- Documentation of the code and the removal of defects in the code.
- Using insecure software coding methods such as unapproved code samples or hard coded passwords is prohibited.
A security test should be conducted during and after development, as specified in ISO 27001 Annex A Control 8.29.
Organisations should consider the following items before implementing the software in a live application environment:
- Is there an attack surface?
- Is the least privilege principle followed?
- Analysing the most prevalent programming errors and documenting their elimination.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Supplementary Guidance for the Review Process
Following the Implementation of the Code in the Production Environment
- A secure method should be used to apply updates.
- Per ISO 27001:2022 Annex A Control 8.8, security vulnerabilities should be addressed.
- Records should be kept of suspected attacks and errors on information systems, and these records should be reviewed regularly so that appropriate changes can be made.
- The use of tools such as management tools should be used to prevent unauthorised access, use, or modification of source code.
Organisations Should Consider the Following Factors When Using External Tools
- Regular monitoring and updating of external libraries should be conducted per their release cycles.
- A thorough review, selection, and authorisation of software components are essential, particularly those related to cryptography and authentication.
- Obtaining licenses for external components and ensuring their security.
- There should be a system for tracking and maintaining software. Moreover, it must be made certain that it has come from a reputable source.
- It is essential to have long-term development resources available.
The Following Factors Should Be Taken Into Consideration When Making Changes to a Software Package:
- Integrity processes or built-in controls may expose an organisation to risks.
- It is essential to determine whether the vendor has consented to the changes.
- Can the vendor’s consent be obtained to perform regular updates on the software?
- The likely impact of maintaining the software as it changes.
- What effect will the changes have on other software components the organisation uses?
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Additional Guidance on ISO 27001:2022 Annex A 8.28
Organisations must make sure they use security-relevant code whenever necessary and that it is resistant to tampering.
Annex A Control 8.28 of ISO 27001:2022 makes the following recommendations for security-relevant code:
- While programs downloaded via binary code will include security-related code in the application itself, it will be limited in scope to data stored internally within the application.
- Keeping track of security-relevant code is only useful if it is run on a server that cannot be accessed by the user and is separated from the processes that are using it so that its data is kept secure in another database and safely segregated from the processes that use it. The use of a cloud service to run an interpreted code is possible, and you can restrict access to the code to privileged administrators to restrict access to the code. The recommendation is that these access rights be protected with just-in-time administrator privileges and robust authentication mechanisms that only grant access to the site at the right time.
- A suitable configuration should be implemented on web servers to prevent unauthorised access to and browsing of directories on the server.
- To develop secure application code, you must assume that the code is vulnerable to attacks due to coding errors and actions taken by malicious actors. A critical application should be designed to be immune to internal faults in a way that prevents it from being prone to errors. For example, when evaluating the output of an algorithm, it is possible to ensure that the output conforms to security requirements before the algorithm can be used in critical applications, such as those related to finance, before it can be used in the application.
- Due to a lack of good coding practices, certain web applications are highly susceptible to security threats, such as database injection and cross-site scripting attacks.
- It is recommended that organisations refer to ISO/IEC 15408 for more information on IT security evaluation and how to conduct it.
What Are the Changes From ISO 27001:2013?
Annex A 8.28 is a new Annex A control that has been added to the ISO 27001:2022 standard.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
ISO 27001:2022 Organisational Controls
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
ISO 27001:2022 People Controls
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
ISO 27001:2022 Physical Controls
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
ISO 27001:2022 Technological Controls
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.online Helps
Whether you are completely new to information security or want to learn about ISO 27001 concisely without having to spend time reading long and detailed documents or learning from scratch, our platform is designed specifically for you.
Using ISMS.Online, you will easily access document templates, checklists and policies that can be customised to meet your needs.
Would you like to see how it works?
Get in touch today to book a demo.
