UnixTime

Research Note

A.8.28 Audit Evidence Pack

- Standards are language, framework, and risk-specific. - Developers can retrieve and explain applicable standards. - Automated checks run and findings are reviewed. - Secure co...

On this page

What the auditor wants to verify

Audit objective

Verify that secure coding principles are defined, selected by coding context, known by developers, applied, checked, and exception-managed.

Evidence to request

Evidence Purpose
Coding scope register Shows where coding occurs
Secure coding standard Shows coding rules are defined
Training records Shows developers know the rules
Static analysis/secret scan results Shows automated compliance checks
Secure code review records Shows human review
Exception records Shows noncompliance is risk-managed
Supplier coding requirements Shows third-party coding is covered

Strong evidence

  • Standards are language, framework, and risk-specific.
  • Developers can retrieve and explain applicable standards.
  • Automated checks run and findings are reviewed.
  • Secure code reviews are recorded.
  • Exceptions are approved and reviewed.
  • AI-generated code is reviewed before acceptance.

Weak evidence

  • Generic secure coding guidance only.
  • Developers are unaware of standards.
  • Tool findings are ignored.
  • Exceptions are informal.
  • Third-party or generated code is trusted without review.

Sample interview questions

  • What coding standards apply to your work?
  • Where do you find the standards?
  • What happens if the standard cannot be applied?
  • What automated checks run?
  • How are secure coding findings remediated?
  • How is AI-generated or supplier code reviewed?

Common nonconformities

  • Coding activities are not identified.
  • Standards are not context-specific.
  • Developers are not trained.
  • Static analysis findings are not reviewed.
  • Exceptions are not approved.
  • Audit
  • Evidence
  • A8 28
  • Iso27001

Note Metadata

Aliases: A.8.28 Evidence

Source: 04 Audit Evidence Packs/A.8.28 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.