Trying to remember what I learned on M886 (OU course about Information Systems Security) - other than the fact that I never, ever want to be involved in a formal ISO27001 certification effort (Most of the things they suggest you do are quite sensible, but the amount of documentation required to say you have done so is gruesome.)
Regarding A.12.2.1. All input into Moodle is filtered in one of two ways:
All data input into forms in Moodle gets validated before use. Moodle has a forms library to facilitate creating forms, and validation is an important part of that.
Other data input (e.g. from URL parameters like /course/view.php?id=123) are process through the optional_param/required_param API, which always takes a paramter type (like PARAM_INT) to filter the data appropriately.
In addtion, the Moodle coding guidelines require the use of these techniques (http://docs.moodle.org/dev/Coding ) and the Moodle code review processes (http://docs.moodle.org/dev/Process ) esures that those guidelines are followed.
Regarding A.12.2.2. One level or protection comes from that fact that all Moodle data (apart from uploaded files) are stored in a relational database (though let's gloss over the fact that for historical reasons, we don't create the foreign-key constraings). The code contains some other validation of values being processed, though often only in developer debug mode for performance reasons.