ISO 27001:2022 Annex A Control 8.28

Secure Coding

Book a demo

business,marketing,team,discussion,corporate,concept

The use of poor coding practices, such as incorrect input validation and weak key generation, can lead to cyber-attacks and the compromise of sensitive information assets.

For this reason, hackers exploited the infamous Heartbleed bug to access more than 4 million patient records.

To prevent security vulnerabilities, organisations need to follow secure coding principles.

What Is The Purpose of ISO 27001:2022 Annex A 8.28?

Per ISO 27001:2022, Annex A Control 8.28 assists organisations in preventing security risks and vulnerabilities that may arise due to poor software coding practices through developing, implementing, and reviewing appropriate secure software coding practices.

Who Has Ownership of Annex A 8.28?

A chief information security officer should be responsible for taking appropriate steps to ensure compliance with 8.28, which requires developing and implementing secure coding principles and procedures throughout the organisation.

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Compliance Guidelines on ISO 27001:2022 Annex A 8.28

Organisations must develop and implement secure coding processes that apply to products supplied by external parties and open-source software components, as outlined in ISO 27001 Annex A Control 8.28.

In addition, organisations should remain informed about evolving real-world security threats and the latest information on known or potential software security vulnerabilities. By using this approach, organisations can develop robust, secure coding principles to combat evolving cyber threats.

Supplementary Guidance on Planning

It is essential that both new coding projects and software reuse operations adhere to secure software coding principles.

These principles should be adhered to both when developing software internally and when transferring software products or services.

Organisations should consider the following factors when developing a plan for secure coding principles and determining prerequisites for secure coding:

  • Security expectations should be tailored to the organisation’s specific needs, and approved principles for secure software code should be established to apply to in-house software development and outsourced components.
  • Organisations should identify and document the most prevalent and historical coding design mistakes and poor coding practices to prevent data security breaches.
  • Organisations should implement and configure software development tools to ensure the security of all code created. Integrated development environments (IDEs) are an example of such tools.
  • Software development tools should provide guidance and instructions to assist organisations in complying with the guidelines and instructions.
  • Developing tools such as compilers should be reviewed, maintained, and used securely by organisations.

Supplementary Guidance on Security During Coding

To ensure secure coding practices and procedures, the following should be considered during the coding process:

  • Coding principles for secure software should be tailored to each programming language and technique.
  • Test-driven development and pair programming are examples of secure programming techniques and methods.
  • Implementation of structured programming techniques.
  • Documentation of the code and the removal of defects in the code.
  • Using insecure software coding methods such as unapproved code samples or hard coded passwords is prohibited.

A security test should be conducted during and after development, as specified in ISO 27001 Annex A Control 8.29.

Organisations should consider the following items before implementing the software in a live application environment:

  • Is there an attack surface?
  • Is the least privilege principle followed?
  • Analysing the most prevalent programming errors and documenting their elimination.

Supplementary Guidance for the Review Process

Following the Implementation of the Code in the Production Environment

  • A secure method should be used to apply updates.
  • Per ISO 27001:2022 Annex A Control 8.8, security vulnerabilities should be addressed.
  • Records should be kept of suspected attacks and errors on information systems, and these records should be reviewed regularly so that appropriate changes can be made.
  • The use of tools such as management tools should be used to prevent unauthorised access, use, or modification of source code.

Organisations Should Consider the Following Factors When Using External Tools

  • Regular monitoring and updating of external libraries should be conducted per their release cycles.
  • A thorough review, selection, and authorisation of software components are essential, particularly those related to cryptography and authentication.
  • Obtaining licenses for external components and ensuring their security.
  • There should be a system for tracking and maintaining software. Moreover, it must be made certain that it has come from a reputable source.
  • It is essential to have long-term development resources available.

The Following Factors Should Be Taken Into Consideration When Making Changes to a Software Package:

  • Integrity processes or built-in controls may expose an organisation to risks.
  • It is essential to determine whether the vendor has consented to the changes.
  • Can the vendor’s consent be obtained to perform regular updates on the software?
  • The likely impact of maintaining the software as it changes.
  • What effect will the changes have on other software components the organisation uses?

Additional Guidance on ISO 27001:2022 Annex A 8.28

Organisations must make sure they use security-relevant code whenever necessary and that it is resistant to tampering.

Annex A Control 8.28 of ISO 27001:2022 makes the following recommendations for security-relevant code:

  • While programs downloaded via binary code will include security-related code in the application itself, it will be limited in scope to data stored internally within the application.
  • Keeping track of security-relevant code is only useful if it is run on a server that cannot be accessed by the user and is separated from the processes that are using it so that its data is kept secure in another database and safely segregated from the processes that use it. The use of a cloud service to run an interpreted code is possible, and you can restrict access to the code to privileged administrators to restrict access to the code. The recommendation is that these access rights be protected with just-in-time administrator privileges and robust authentication mechanisms that only grant access to the site at the right time.
  • A suitable configuration should be implemented on web servers to prevent unauthorised access to and browsing of directories on the server.
  • To develop secure application code, you must assume that the code is vulnerable to attacks due to coding errors and actions taken by malicious actors. A critical application should be designed to be immune to internal faults in a way that prevents it from being prone to errors. For example, when evaluating the output of an algorithm, it is possible to ensure that the output conforms to security requirements before the algorithm can be used in critical applications, such as those related to finance, before it can be used in the application.
  • Due to a lack of good coding practices, certain web applications are highly susceptible to security threats, such as database injection and cross-site scripting attacks.
  • It is recommended that organisations refer to ISO/IEC 15408 for more information on IT security evaluation and how to conduct it.

What Are the Changes From ISO 27001:2013?

Annex A 8.28 is a new Annex A control that has been added to the ISO 27001:2022 standard.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Helps

Whether you are completely new to information security or want to learn about ISO 27001 concisely without having to spend time reading long and detailed documents or learning from scratch, our platform is designed specifically for you.

Using ISMS.Online, you will easily access document templates, checklists and policies that can be customised to meet your needs.

Would you like to see how it works?

Get in touch today to book a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now