Requirement
Requirement lens
This control asks whether rules for secure development of software and systems are established and applied.
“Rules for the secure development of software and systems shall be established and applied.”
Plain-language meaning
Development work should follow secure rules from the beginning. This applies to software, services, networks, infrastructure, environments, and systems that are built or changed by the organization or its suppliers.
The control is not only about writing secure code. It also covers development environments, developer competence, standards, vulnerability handling, third-party developers, secure code review, and regular review of the development rules.
Why this matters
Weak development practices can introduce vulnerabilities, hidden functionality, insecure defaults, poor access control, dependency weaknesses, or production-impacting defects. A compromised development environment can also become a path into future production systems.
Secure development also protects intellectual property in code, designs, tooling, test data, and development environments.
Implementation guidance
Implementer focus
Make secure development mandatory, checkable, and supplier-applicable. A standard nobody verifies is not a control.
1. Define secure development rules
Define rules for secure coding, secure configuration, dependency use, secrets handling, code review, testing, vulnerability remediation, release gates, development environment protection, and development tool access.
2. Apply rules to all development work
Apply the same secure development expectations to internal teams, contractors, outsourced developers, and supplier-built systems where they affect the organization.
3. Train developers and reviewers
Developers, reviewers, DevOps engineers, architects, and testers should understand the secure development practices relevant to their role.
4. Verify compliance
Use peer review, secure coding audits, automated scanning, manual review, dependency scanning, and release checks. Automated tools help, but they do not replace standards, competence, and independent review.
5. Review and improve standards
Secure development standards should be reviewed when threats, public standards, technology, frameworks, incidents, or vulnerability patterns change.
Audit guidance
Auditor focus
Check whether secure development rules exist, are mandatory, are known by developers, are verified independently, and apply to third parties.
Auditors should verify:
- secure development policy or standard exists;
- standards are suitable to the risk profile;
- developers and reviewers are trained and competent;
- adherence is mandated and checked;
- secure coding audits or reviews are performed by competent people;
- reviews are not performed only by the same people who wrote the code;
- automated tools are used appropriately but not treated as the whole control;
- vulnerabilities and nonconformities are followed up and resolved;
- third parties and contractors follow the same rules;
- secure development standards are periodically reviewed and improved.
Evidence examples
Evidence quality
Strong evidence proves secure development rules are applied, verified, and improved.
| Evidence | What it proves |
|---|---|
| Secure development policy/standard | Rules are defined |
| Developer training records | Competence is supported |
| Secure code review records | Rules are checked |
| Vulnerability remediation tracker | Findings are resolved |
| Supplier development clauses | Third parties follow rules |
| Secure development audit reports | Compliance is independently verified |
| Standards review records | Rules remain current |
Strong evidence
- Secure development rules are integrated into project/release workflows.
- Secure coding and review evidence exists for sampled projects.
- Findings are tracked to closure.
- Contractors and suppliers are covered by the same requirements.
- Reviewers are competent and independent enough for the risk.
- Standards are updated after incidents, technology changes, or public guidance changes.
Weak evidence
- Secure coding guidelines exist but are optional.
- Developers are expected to “know security” without training.
- Tools run but findings are ignored.
- Reviews are done only by the code author.
- Supplier development is not checked.
- Standards are stale and do not match current languages or frameworks.
Common failures
Implementation watchouts
A.8.25 fails when secure development is documented but not enforced.
| Failure | Why it matters |
|---|---|
| Optional secure coding standard | Teams skip security under delivery pressure |
| No developer training | Rules are misunderstood |
| No independent review | Defects remain invisible |
| Tool-only assurance | Scanners miss design and logic flaws |
| Supplier exclusion | Outsourced code creates unmanaged risk |
| No standards refresh | Rules become obsolete |
Exam traps
Exam focus
A.8.25 is about rules for secure development being established and applied. It is broader than source code access.
| Trap | Correct interpretation |
|---|---|
| Secure SDLC means only secure coding | It also includes environments, training, review, tools, suppliers, and standards maintenance |
| Automated scanning proves compliance | Findings, standards, competence, and follow-up also matter |
| Contractors can use their own rules | Third parties should meet the organization’s secure development requirements |
| Code author review is enough | Independent or competent review is expected where risk requires it |
| Standards never change | Standards should be reviewed as threats and technologies evolve |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.4 Access to Source Code
- A.8.8 Management of Technical Vulnerabilities
- A.8.19 Installation of Software on Operational Systems
- A.8.26 Application Security Requirements
- A.8.27 Secure System Architecture and Engineering Principles
- A.5.8 Information Security in Project Management
- A.5.20 Addressing Information Security Within Supplier Agreements
- Risk Assessment
- Statement of Applicability
- Secure Development Policy
- Secure Development Compliance Review Checklist
- Secure Code Review Record
- Developer Security Training Matrix
- A.8.25 Audit Evidence Pack
- A.8.25 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.25 makes secure development a controlled lifecycle. Strong implementation proves rules exist, developers know them, projects apply them, independent checks happen, findings close, suppliers comply, and standards stay current.
- Define secure development rules.
- Train developers and reviewers.
- Apply rules to internal and supplier work.
- Verify compliance through reviews and audits.
- Track vulnerabilities to closure.
- Review standards regularly.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Secure development
- Sdlc
- Audit
Note Metadata
Aliases: A.8.25, Secure Development Life Cycle, Secure SDLC
Source: 05 Annex A Technological Controls/A.8.25 Secure Development Life Cycle.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.8 - Information Security in Project Management
- A.8.25 Audit Evidence Pack
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.25 Secure Development Life Cycle
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-038 - Secure Development and Architecture
- EXAM-039 - Secure Coding and Security Testing
- EXAM-040 - Outsourced Development and Environment Separation
- ISO 27002 Annex A Control Interpretation Map
- A.8.25 Audit Checklist
- Developer Security Training Matrix
- Outsourced Development Security Requirements Checklist
- Secure Code Review Record
- Secure Coding Standard
- Secure Development Compliance Review Checklist
- Secure Development Policy
- Annex A Controls MOC