What the auditor wants to verify
Audit objective
Verify that read/write access to source code, development tools, and software libraries is controlled, reviewed, and protected from unauthorized modification.
Evidence to request
| Evidence | Purpose |
|---|---|
| Source code repository register | Shows code locations are known |
| Repository access lists | Shows read/write access is controlled |
| Branch protection and approval settings | Shows unauthorized direct changes are restricted |
| Change records and pull requests | Shows changes are reviewed and tested |
| CI/CD and build tool access lists | Shows build paths are protected |
| Dependency/library source controls | Shows libraries are trusted and controlled |
| Code signing/checksum records | Shows integrity can be verified |
| Access review/removal records | Shows stale access is removed |
Strong evidence
- Source code is centrally stored in controlled repositories.
- Read/write/merge/build/release permissions are separated.
- Changes require review, approval, and test evidence.
- Build tools and dependency sources are protected.
- Source code is not exposed on production systems without justification.
- Macros, report programs, scripts, and stored procedures are controlled where relevant.
Weak evidence
- Broad developer group has write access everywhere.
- Production systems contain source code and compilers by default.
- CI/CD administrators are not reviewed.
- Dependencies are downloaded from uncontrolled sources.
- Direct branch pushes bypass review.
- Macros and report programs are outside change control.
Sample interview questions
- Where is source code stored?
- Who can read, write, merge, build, and release code?
- How are changes reviewed and tested?
- Are build tools and compilers protected?
- How are third-party libraries approved?
- Is any source code present on production systems?
Common nonconformities
- No source code access review.
- Source code or tools stored on production without justification.
- Unprotected build pipeline.
- No branch protection or change approval.
- Library sources not controlled.
- Code-impacting macros or reports not managed.
Related notes
- Audit
- Evidence
- A8 4
- Iso27001
Note Metadata
Aliases: A.8.4 Evidence
Source: 04 Audit Evidence Packs/A.8.4 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.