ISO 27001 Annex A Control 8.4

ISO 27001 control 8.4 Access to source code

The basics

ISO 27001 control A.8.4 Access to source code requires companies to manage access to source code, development tools, and software libraries, in order to prevent unauthorized changes and sensitive software data disclosures.

Documentation

ISO 27001 control A.8.4 Access to source code can be documented by writing:

  • smaller and mid-size companies might write an Access Control Policy to define the rules for accessing source code
  • larger companies might write a Procedure for Accessing the Source Code

These documents are not mandatory but are recommended for all larger companies.

Implementation

In order to comply with control A.8.4 Access to source code you might implement the following:

  • Technology — the technology to enable access to source code may include software (e.g., user management systems, logging and monitoring tools, etc.), hardware (e.g., physically separated servers and network devices), and networks (e.g., firewalls and routers). Companies may use access control features available on their local computers to restrict access rights to source codes (e.g., read-only access), development tools, and software libraries, and may use networked systems to allow centralized and remote management of access to source code.
  • Organization/processes — you should set up a process for applying restrictions to access source codes, development tools, and software libraries based on their sensitivity, who is responsible for restricting access to them, how requests for access must be performed and implemented, and how applied access restrictions must be reviewed and updated. You can document those processes through an Access Control Policy or a Procedure for Accessing the Source Code.
  • People — make employees aware of why restricting access to source code is needed, and train IT staff on how to restrict access to them.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.4 Access to source code: if access to source code, development tools, and software libraries are managed.