During the certification audit, the auditor might look for the following evidence regarding secure software development:
- If security rules are integrated into the software lifecycle process, i.e., from the software conception to software retirement (control A.8.25 Secure development life cycle).
- If information security requirements are considered in acquired and/or developed software (control A.8.26 Application security requirements).
- If principles and methods for engineering secure systems are integrated into the software lifecycle process (control A.8.27 Secure system architecture and engineering principles).
- If principles for secure coding are integrated into the software lifecycle process (control A.8.28 Secure coding).
- If the software is tested against the security requirements to ensure security is implemented as specified (control A.8.29 Security testing in development and acceptance)
- If software development performed by external parties is considering proper practice and security rules (control A.8.30 Outsourced development).
- If development, test, and production environments are effectively separated (control A.8.31 Separation of development, test and production environments).
- If changes in information systems are properly controlled and authorized (control A.8.32 Change management).
- If the information used for testing information systems is properly selected and protected (control A.8.33 Test information).

Examples:
- A company has written a Secure Development Policy where it has defined the process that software needs to follow from conception to retirement — the auditor might ask to see documentation from several developed information systems to see if they are following the defined process.
- A company has written Security Requirements Specification documents where it defines what acquired or developed systems need to fulfill in terms of security — The auditor might ask to see several requirements documentation to see if related information systems comply with them.
- A company has defined in its Secure Development Policy principles and methods for engineering secure systems — the auditor might ask to see documentation from several developed information systems to see if defined principles and methods are being followed.
- A company has defined in its Secure Development Policy principles for secure coding — the auditor might ask to see coding documentation from several developed information systems to see if defined principles for secure coding are being followed.
- A company has defined in its Secure Development Policy a security testing process — the auditor might ask to see several testing reports to see if the defined testing process is being followed.
- A company has defined in its Secure Development Policy what needs to be considered for software developed by third parties — the auditor might ask to see contracts/service agreements established with outsourced developers, and documentation developed by them, to see if defined conditions are being followed.
- A company has defined in its Secure Development Policy how environments are separated, and criteria for evaluating separation needs — the auditor might ask to see the implemented configuration for separation of environments to see if they are compliant with defined rules.
- A company has written a Security Procedures for IT Department document where it defines how changes are controlled and authorized — the auditor might ask to see the latest assets that have been changed and their change reports to see how they were controlled and by whom they were approved.
- A company has defined in its Secure Development Policy rules to select data for testing of information systems and how to handle them — the auditor might ask to see various test data repositories to see if they are defined and handled according to defined rules.