Isn’t there a layer 2 as procedures and principles ?
1.1. Secure coding
[Job title] will issue procedures for secure coding of information system, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum secure coding practices that must be complied with.
The same secure coding principles will be applied to outsourced development, and defined through the contracts as defined in [Supplier Security Policy].