What the auditor wants to verify
Audit objective
Verify that secure development rules are established, applied, checked, and improved for software and systems development.
Evidence to request
| Evidence | Purpose |
|---|---|
| Secure development policy/standard | Shows rules are defined |
| Developer training records | Shows competence |
| Secure code review records | Shows standards are checked |
| Vulnerability remediation tracker | Shows findings are resolved |
| Supplier/contractor development clauses | Shows third parties are covered |
| Secure development audit reports | Shows routine verification |
| Standards review records | Shows rules are maintained |
Strong evidence
- Secure development rules are mandatory and integrated into workflow.
- Developers and reviewers have relevant training.
- Reviews are performed by competent reviewers, not only code authors.
- Automated and manual review findings are tracked to closure.
- Supplier development is checked against the same rules.
- Standards are reviewed after threat, technology, or incident changes.
Weak evidence
- Secure coding guidance is optional.
- Tool scans run but findings are ignored.
- Developers have no secure development training.
- Contractors follow unmanaged practices.
- Standards are stale.
Sample interview questions
- What secure development standard do you follow?
- How are developers trained?
- Who reviews code for security?
- How are vulnerabilities tracked and closed?
- How are contractors required to follow secure development rules?
- When were the secure development standards last reviewed?
Common nonconformities
- Secure development rules are not mandatory.
- No evidence of compliance checks.
- Findings are not remediated.
- Supplier development is excluded.
- Reviewers lack competence or independence.
Related notes
- Audit
- Evidence
- A8 25
- Iso27001
Note Metadata
Aliases: A.8.25 Evidence
Source: 04 Audit Evidence Packs/A.8.25 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.25 - Secure Development Life Cycle
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.25 Secure Development Life Cycle
- A.8.25 Audit Checklist
- Developer Security Training Matrix
- Secure Code Review Record
- Secure Development Compliance Review Checklist
- Secure Development Policy
- Audit Evidence Index