Requirement
Requirement lens
This control asks whether read and write access to source code, development tools, and software libraries is controlled and protected.
“Read and write access to source code, development tools and software libraries shall be appropriately managed.”
Plain-language meaning
Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider can read or modify them, they can understand the system, bypass controls, insert malicious code, or compromise the build process.
This control is not only about Git repository permissions. It also covers development tools, build environments, libraries, macros, report programs, and any mechanism used to modify or generate executable behavior.
Why this matters
Source code can reveal sensitive architecture, business logic, security controls, credentials accidentally committed by developers, API patterns, and implementation weaknesses. Write access is even more sensitive because unauthorized changes can introduce backdoors, integrity failures, or availability problems.
Development tools deserve equivalent protection. A compromised compiler, build server, package source, or dependency can alter software even when the source repository looks clean.
Implementation guidance
Implementer focus
Treat source code and build tooling as high-value assets. Control who can read, write, approve, build, sign, and release code.
1. Centralize and protect repositories
Source code should normally be stored in controlled repositories, not scattered across desktops, shared drives, production servers, or unmanaged developer machines.
Practical controls include:
- named user access;
- least privilege by repository and branch;
- separation between read, write, approve, merge, build, and release permissions;
- MFA for repository and CI/CD access;
- logging of repository access and changes;
- branch protection and pull request approval;
- removal of access after role change or departure.
2. Keep source code away from production systems
Production systems should not normally store or expose source code, build scripts, compilers, or development tooling. Production access should not become a shortcut to modify or recompile application behavior.
3. Protect development tools and libraries
Development tools and libraries should come from trusted sources and be protected from unauthorized modification. This includes compilers, build agents, CI/CD runners, dependency registries, package managers, library mirrors, and code signing tools.
4. Control code changes
Changes should be traceable from request to approval, review, test, merge, build, and release. Digital signatures, checksums, signed commits, protected branches, or release attestations can help detect unauthorized modification where justified.
5. Include macros and report programs
Macros, report builders, database scripts, stored procedures, and low-code components can change business logic or data output. They should not be ignored just because they are not in a traditional software repository.
Audit guidance
Auditor focus
Test whether source code, development tools, libraries, and build paths are protected from unauthorized read/write access and unauthorized modification.
Auditors should verify:
- source code repository list;
- repository access permissions;
- branch protection and approval rules;
- change records and merge history;
- CI/CD and build tool access;
- dependency/library source controls;
- code signing, checksum, or integrity verification where applicable;
- evidence that source code is not stored on production systems without justification;
- controls for macros, database report programs, stored procedures, and scripts;
- access review and removal records.
Evidence examples
Evidence quality
Strong evidence proves access is controlled, changes are reviewed, build tools are protected, and unauthorized modification can be detected.
| Evidence | What it proves |
|---|---|
| Source code repository register | Code locations are known |
| Repository access list | Read/write access is controlled |
| Pull request and approval history | Changes are reviewed |
| Branch protection settings | Direct unauthorized modification is restricted |
| CI/CD access list | Build and deployment tooling is controlled |
| Dependency registry configuration | Libraries come from trusted sources |
| Code signing/checksum records | Changes can be verified |
| Access review records | Stale developer access is removed |
Strong evidence
- Repositories are centrally managed.
- Production systems do not expose source code or development tools without justification.
- Write access is limited and reviewed.
- Changes require review, test, and approval.
- Build tools and dependency sources are protected.
- Macros, reports, and database scripts are included in scope where relevant.
Weak evidence
- Developers keep local unmanaged source copies as the main record.
- Production servers contain source code and compilers by default.
- Repository write access is broad or inherited from generic groups.
- Direct pushes to protected branches are allowed.
- CI/CD administrators are not reviewed.
- Dependencies are pulled from untrusted or uncontrolled sources.
Common failures
Implementation watchouts
A.8.4 fails when the repository is protected but the build system, dependency path, macros, or production copy can still modify application behavior.
| Failure | Why it matters |
|---|---|
| Source code on production systems | Production access can become code modification access |
| Broad repository write access | Unauthorized or accidental changes become likely |
| Unprotected build tools | Clean source can produce compromised software |
| Weak dependency controls | Malicious or wrong libraries enter the product |
| No code review | Integrity defects and backdoors are missed |
| Macros/reports ignored | Business logic can be changed outside normal SDLC |
Exam traps
Exam focus
A.8.4 is broader than source repository permissions. It includes development tools and software libraries.
| Trap | Correct interpretation |
|---|---|
| This control only applies to developers | It applies to anyone with read/write access to code, tools, libraries, scripts, macros, or report logic |
| Protecting Git is enough | Build tools, CI/CD, dependencies, and production copies also matter |
| Read access is harmless | Source code can reveal system design and security controls |
| Production servers may hold source code for convenience | This should be avoided or strongly justified and controlled |
| Macros and report programs are not source code | They can affect integrity and availability and may need similar controls |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.2 Privileged Access Rights
- A.8.3 Information Access Restriction
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.28 Collection of Evidence
- Risk Assessment
- Statement of Applicability
- Source Code Access Register
- Development Tool and Library Integrity Checklist
- Source Code Change Control Checklist
- A.8.4 Audit Evidence Pack
- A.8.4 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.4 protects source code and the toolchain that turns code into running systems. Strong implementation controls read/write access, code changes, build tools, libraries, and integrity verification.
- Centralize source code in controlled repositories.
- Restrict read/write/merge/build/release permissions.
- Keep source code and development tools off production unless justified.
- Protect compilers, CI/CD, dependencies, and code signing.
- Include macros, report programs, scripts, and stored procedures where they affect system behavior.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Secure development
- Source code
- Audit
Note Metadata
Aliases: A.8.4, Access to Source Code
Source: 05 Annex A Technological Controls/A.8.4 Access to Source Code.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.28 - Collection of Evidence
- A.8.4 Audit Evidence Pack
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.4 Access to Source Code
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-028 - Source Code, Authentication, and Capacity
- ISO 27002 Annex A Control Interpretation Map
- A.8.4 Audit Checklist
- Development Tool and Library Integrity Checklist
- Secure Code Review Record
- Secure Development Policy
- Source Code Access Register
- Source Code Change Control Checklist
- Annex A Controls MOC