UnixTime

Research Note

ISO 27001 A.8.4 - Access to Source Code

Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider...

On this page

Requirement

Requirement lens

This control asks whether read and write access to source code, development tools, and software libraries is controlled and protected.

“Read and write access to source code, development tools and software libraries shall be appropriately managed.”

Plain-language meaning

Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider can read or modify them, they can understand the system, bypass controls, insert malicious code, or compromise the build process.

This control is not only about Git repository permissions. It also covers development tools, build environments, libraries, macros, report programs, and any mechanism used to modify or generate executable behavior.

Why this matters

Source code can reveal sensitive architecture, business logic, security controls, credentials accidentally committed by developers, API patterns, and implementation weaknesses. Write access is even more sensitive because unauthorized changes can introduce backdoors, integrity failures, or availability problems.

Development tools deserve equivalent protection. A compromised compiler, build server, package source, or dependency can alter software even when the source repository looks clean.

Implementation guidance

Implementer focus

Treat source code and build tooling as high-value assets. Control who can read, write, approve, build, sign, and release code.

1. Centralize and protect repositories

Source code should normally be stored in controlled repositories, not scattered across desktops, shared drives, production servers, or unmanaged developer machines.

Practical controls include:

  • named user access;
  • least privilege by repository and branch;
  • separation between read, write, approve, merge, build, and release permissions;
  • MFA for repository and CI/CD access;
  • logging of repository access and changes;
  • branch protection and pull request approval;
  • removal of access after role change or departure.

2. Keep source code away from production systems

Production systems should not normally store or expose source code, build scripts, compilers, or development tooling. Production access should not become a shortcut to modify or recompile application behavior.

3. Protect development tools and libraries

Development tools and libraries should come from trusted sources and be protected from unauthorized modification. This includes compilers, build agents, CI/CD runners, dependency registries, package managers, library mirrors, and code signing tools.

4. Control code changes

Changes should be traceable from request to approval, review, test, merge, build, and release. Digital signatures, checksums, signed commits, protected branches, or release attestations can help detect unauthorized modification where justified.

5. Include macros and report programs

Macros, report builders, database scripts, stored procedures, and low-code components can change business logic or data output. They should not be ignored just because they are not in a traditional software repository.

Audit guidance

Auditor focus

Test whether source code, development tools, libraries, and build paths are protected from unauthorized read/write access and unauthorized modification.

Auditors should verify:

  • source code repository list;
  • repository access permissions;
  • branch protection and approval rules;
  • change records and merge history;
  • CI/CD and build tool access;
  • dependency/library source controls;
  • code signing, checksum, or integrity verification where applicable;
  • evidence that source code is not stored on production systems without justification;
  • controls for macros, database report programs, stored procedures, and scripts;
  • access review and removal records.

Evidence examples

Evidence quality

Strong evidence proves access is controlled, changes are reviewed, build tools are protected, and unauthorized modification can be detected.

Evidence What it proves
Source code repository register Code locations are known
Repository access list Read/write access is controlled
Pull request and approval history Changes are reviewed
Branch protection settings Direct unauthorized modification is restricted
CI/CD access list Build and deployment tooling is controlled
Dependency registry configuration Libraries come from trusted sources
Code signing/checksum records Changes can be verified
Access review records Stale developer access is removed

Strong evidence

  • Repositories are centrally managed.
  • Production systems do not expose source code or development tools without justification.
  • Write access is limited and reviewed.
  • Changes require review, test, and approval.
  • Build tools and dependency sources are protected.
  • Macros, reports, and database scripts are included in scope where relevant.

Weak evidence

  • Developers keep local unmanaged source copies as the main record.
  • Production servers contain source code and compilers by default.
  • Repository write access is broad or inherited from generic groups.
  • Direct pushes to protected branches are allowed.
  • CI/CD administrators are not reviewed.
  • Dependencies are pulled from untrusted or uncontrolled sources.

Common failures

Implementation watchouts

A.8.4 fails when the repository is protected but the build system, dependency path, macros, or production copy can still modify application behavior.

Failure Why it matters
Source code on production systems Production access can become code modification access
Broad repository write access Unauthorized or accidental changes become likely
Unprotected build tools Clean source can produce compromised software
Weak dependency controls Malicious or wrong libraries enter the product
No code review Integrity defects and backdoors are missed
Macros/reports ignored Business logic can be changed outside normal SDLC

Exam traps

Exam focus

A.8.4 is broader than source repository permissions. It includes development tools and software libraries.

Trap Correct interpretation
This control only applies to developers It applies to anyone with read/write access to code, tools, libraries, scripts, macros, or report logic
Protecting Git is enough Build tools, CI/CD, dependencies, and production copies also matter
Read access is harmless Source code can reveal system design and security controls
Production servers may hold source code for convenience This should be avoided or strongly justified and controlled
Macros and report programs are not source code They can affect integrity and availability and may need similar controls

KB-ready summary

Mentor takeaway

A.8.4 protects source code and the toolchain that turns code into running systems. Strong implementation controls read/write access, code changes, build tools, libraries, and integrity verification.

  • Centralize source code in controlled repositories.
  • Restrict read/write/merge/build/release permissions.
  • Keep source code and development tools off production unless justified.
  • Protect compilers, CI/CD, dependencies, and code signing.
  • Include macros, report programs, scripts, and stored procedures where they affect system behavior.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Secure development
  • Source code
  • Audit

Note Metadata

Aliases: A.8.4, Access to Source Code

Source: 05 Annex A Technological Controls/A.8.4 Access to Source Code.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.