When to use this
Use this checklist during an internal audit of source code, development tools, software libraries, and code-impacting scripts or macros.
Related controls
- A.8.4 Access to Source Code
- A.8.4 Audit Evidence Pack
- Source Code Access Register
- Development Tool and Library Integrity Checklist
- Source Code Change Control Checklist
Audit checklist
- Review source code repository register.
- Sample repository read/write/merge/admin access.
- Check branch protection and approval rules.
- Review code change records and test evidence.
- Check CI/CD and build tool access.
- Review dependency/library source controls.
- Check production systems for source code or development tools.
- Review macros, reports, scripts, and stored procedures where relevant.
- Review source code access review/removal evidence.
Findings table
| Repository/tool | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 4
Note Metadata
Aliases: A.8.4 Source Code Audit Checklist
Source: 90 Templates/A.8.4 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.4 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.4 - Access to Source Code
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Audit Risk Mapping
- Development Tool and Library Integrity Checklist
- Source Code Access Register
- Source Code Change Control Checklist
- Audit Evidence Index
- Templates MOC