When to use this
Use this checklist to review compilers, build tools, CI/CD runners, package sources, dependency registries, and library integrity controls.
Related controls
Checklist
- Development tools are approved and obtained from trusted sources.
- CI/CD runners and build agents are access-controlled.
- Dependency registries or mirrors are approved.
- Package/library integrity checks are used where available.
- Code signing or release signing is used where justified.
- Build tool administrators are reviewed.
- Production systems do not host development tools unless justified.
- Build logs and artifacts are retained according to policy.
Review table
| Tool/library/source | Owner | Trusted source? | Access controlled? | Integrity check | Gap/action |
|---|---|---|---|---|---|
| TBD | TBD | Yes/No | Yes/No | TBD | TBD |
- Template
- Iso27001
- Technological controls
- Secure development
Note Metadata
Aliases: Build Tool Integrity Checklist, Software Library Integrity Checklist
Source: 90 Templates/Development Tool and Library Integrity Checklist.md
Related Notes
- A.8.4 Audit Evidence Pack
- ISO 27001 A.8.4 - Access to Source Code
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- A.8.4 Audit Checklist
- Source Code Access Register
- Templates MOC