UnixTime

Research Note

A.8.4 Audit Evidence Pack

- Source code is centrally stored in controlled repositories. - Read/write/merge/build/release permissions are separated. - Changes require review, approval, and test evidence....

On this page

What the auditor wants to verify

Audit objective

Verify that read/write access to source code, development tools, and software libraries is controlled, reviewed, and protected from unauthorized modification.

Evidence to request

Evidence Purpose
Source code repository register Shows code locations are known
Repository access lists Shows read/write access is controlled
Branch protection and approval settings Shows unauthorized direct changes are restricted
Change records and pull requests Shows changes are reviewed and tested
CI/CD and build tool access lists Shows build paths are protected
Dependency/library source controls Shows libraries are trusted and controlled
Code signing/checksum records Shows integrity can be verified
Access review/removal records Shows stale access is removed

Strong evidence

  • Source code is centrally stored in controlled repositories.
  • Read/write/merge/build/release permissions are separated.
  • Changes require review, approval, and test evidence.
  • Build tools and dependency sources are protected.
  • Source code is not exposed on production systems without justification.
  • Macros, report programs, scripts, and stored procedures are controlled where relevant.

Weak evidence

  • Broad developer group has write access everywhere.
  • Production systems contain source code and compilers by default.
  • CI/CD administrators are not reviewed.
  • Dependencies are downloaded from uncontrolled sources.
  • Direct branch pushes bypass review.
  • Macros and report programs are outside change control.

Sample interview questions

  • Where is source code stored?
  • Who can read, write, merge, build, and release code?
  • How are changes reviewed and tested?
  • Are build tools and compilers protected?
  • How are third-party libraries approved?
  • Is any source code present on production systems?

Common nonconformities

  • No source code access review.
  • Source code or tools stored on production without justification.
  • Unprotected build pipeline.
  • No branch protection or change approval.
  • Library sources not controlled.
  • Code-impacting macros or reports not managed.
  • Audit
  • Evidence
  • A8 4
  • Iso27001

Note Metadata

Aliases: A.8.4 Evidence

Source: 04 Audit Evidence Packs/A.8.4 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.