UnixTime

Research Note

A.8.25 Audit Evidence Pack

- Secure development rules are mandatory and integrated into workflow. - Developers and reviewers have relevant training. - Reviews are performed by competent reviewers, not onl...

On this page

What the auditor wants to verify

Audit objective

Verify that secure development rules are established, applied, checked, and improved for software and systems development.

Evidence to request

Evidence Purpose
Secure development policy/standard Shows rules are defined
Developer training records Shows competence
Secure code review records Shows standards are checked
Vulnerability remediation tracker Shows findings are resolved
Supplier/contractor development clauses Shows third parties are covered
Secure development audit reports Shows routine verification
Standards review records Shows rules are maintained

Strong evidence

  • Secure development rules are mandatory and integrated into workflow.
  • Developers and reviewers have relevant training.
  • Reviews are performed by competent reviewers, not only code authors.
  • Automated and manual review findings are tracked to closure.
  • Supplier development is checked against the same rules.
  • Standards are reviewed after threat, technology, or incident changes.

Weak evidence

  • Secure coding guidance is optional.
  • Tool scans run but findings are ignored.
  • Developers have no secure development training.
  • Contractors follow unmanaged practices.
  • Standards are stale.

Sample interview questions

  • What secure development standard do you follow?
  • How are developers trained?
  • Who reviews code for security?
  • How are vulnerabilities tracked and closed?
  • How are contractors required to follow secure development rules?
  • When were the secure development standards last reviewed?

Common nonconformities

  • Secure development rules are not mandatory.
  • No evidence of compliance checks.
  • Findings are not remediated.
  • Supplier development is excluded.
  • Reviewers lack competence or independence.
  • Audit
  • Evidence
  • A8 25
  • Iso27001

Note Metadata

Aliases: A.8.25 Evidence

Source: 04 Audit Evidence Packs/A.8.25 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.