UnixTime

Research Note

EXAM-028 - Source Code, Authentication, and Capacity

- A.8.4 includes development tools and software libraries, not only Git repositories. - Read access to source code can still be sensitive because it reveals system design and co...

On this page

Memory cues

Control Cue
A.8.4 Access to Source Code Protect code, build tools, and libraries from unauthorized read/write access
A.8.5 Secure Authentication Make authentication strong enough for the access risk
A.8.6 Capacity Management Monitor and adjust resources before capacity becomes an availability issue

Likely exam traps

  • A.8.4 includes development tools and software libraries, not only Git repositories.
  • Read access to source code can still be sensitive because it reveals system design and controls.
  • A.8.5 is not the same as A.5.17 Authentication Information.
  • Password plus PIN is not true MFA if both are the same factor type.
  • Capacity management includes cloud limits, network, storage, databases, and staff, not only server CPU.
  • Monitoring alone is not enough for A.8.6; trend analysis and action matter.

Quick comparison

Question A.8.4 A.8.5 A.8.6
Main concern Code and toolchain integrity/confidentiality Authentication strength and procedure Availability through resource planning
Evidence Repository access, branch protection, change records, CI/CD access, dependency controls Authentication standard, MFA config, failed logon controls, error message review, exceptions Capacity plan, monitoring, thresholds, trend reports, forecasts, action plans
Common failure Repository protected but build tools or libraries uncontrolled Repeated single-factor mistaken for MFA Dashboards exist but no forecast or action
Audit method Sample code/tool access and change path Test configuration and logon behavior Review trends, thresholds, and capacity actions

Practical mentor takeaway

Exam lens

A.8.4 protects what creates the system. A.8.5 protects the identity challenge. A.8.6 protects service availability by managing resource pressure before it becomes an incident.

  • Iso27001
  • Exam
  • Technological controls

Note Metadata

Aliases: A.8.4 A.8.5 A.8.6 exam cues

Source: 09-Exam-Preparation/EXAM-028-Source-Code-Authentication-and-Capacity.md