What the auditor wants to verify
Audit objective
Verify that secure coding principles are defined, selected by coding context, known by developers, applied, checked, and exception-managed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Coding scope register | Shows where coding occurs |
| Secure coding standard | Shows coding rules are defined |
| Training records | Shows developers know the rules |
| Static analysis/secret scan results | Shows automated compliance checks |
| Secure code review records | Shows human review |
| Exception records | Shows noncompliance is risk-managed |
| Supplier coding requirements | Shows third-party coding is covered |
Strong evidence
- Standards are language, framework, and risk-specific.
- Developers can retrieve and explain applicable standards.
- Automated checks run and findings are reviewed.
- Secure code reviews are recorded.
- Exceptions are approved and reviewed.
- AI-generated code is reviewed before acceptance.
Weak evidence
- Generic secure coding guidance only.
- Developers are unaware of standards.
- Tool findings are ignored.
- Exceptions are informal.
- Third-party or generated code is trusted without review.
Sample interview questions
- What coding standards apply to your work?
- Where do you find the standards?
- What happens if the standard cannot be applied?
- What automated checks run?
- How are secure coding findings remediated?
- How is AI-generated or supplier code reviewed?
Common nonconformities
- Coding activities are not identified.
- Standards are not context-specific.
- Developers are not trained.
- Static analysis findings are not reviewed.
- Exceptions are not approved.
Related notes
- Audit
- Evidence
- A8 28
- Iso27001
Note Metadata
Aliases: A.8.28 Evidence
Source: 04 Audit Evidence Packs/A.8.28 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.28 - Secure Coding
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.28 Secure Coding
- A.8.28 Audit Checklist
- AI-Generated Code Security Review Checklist
- Secure Code Review Record
- Secure Coding Compliance Review Checklist
- Secure Coding Exception Record
- Secure Coding Standard
- Audit Evidence Index