CI/CD Security Audit — Compliance Mapping (ISO 27001 / SOC 2 / DORA)

This compliance-oriented audit table maps CI/CD security controls to common regulatory and assurance frameworks.
It is intended to support internal audits, external assessments, and regulatory readiness in enterprise environments.

🔐 Identity & Access Management (IAM)

Control	ISO 27001	SOC 2	DORA	Yes	No
Least privilege enforced for CI/CD service accounts	A.8.2 / A.5.15	CC6.1	ICT Risk Mgmt	⬜	⬜
Segregation between human and pipeline identities	A.6.3	CC6.3	Governance	⬜	⬜
Role-based access for pipeline configuration	A.5.18	CC6.2	Access Control	⬜	⬜
MFA enforced for CI/CD administrators	A.5.17	CC6.1	ICT Security	⬜	⬜
Approval required for privileged pipeline actions	A.5.19	CC7.2	Change Mgmt	⬜	⬜

🔑 Secrets Management

Control	ISO 27001	SOC 2	DORA	Yes	No
Secrets not stored in source control	A.8.12	CC6.1	ICT Security	⬜	⬜
Runtime injection of secrets	A.8.24	CC6.7	ICT Risk Mgmt	⬜	⬜
Environment-scoped secrets	A.5.15	CC6.2	Governance	⬜	⬜
Regular secret rotation	A.8.15	CC6.1	ICT Security	⬜	⬜
Secret values excluded from logs	A.8.16	CC7.2	Monitoring	⬜	⬜

📦 Artifact Integrity & Software Supply Chain

Control	ISO 27001	SOC 2	DORA	Yes	No
Hardened CI/CD build environments	A.8.20	CC6.6	ICT Resilience	⬜	⬜
Artifact signing enforced	A.8.23	CC7.3	Supply Chain	⬜	⬜
Provenance linking code, pipeline, artifact	A.8.9	CC7.2	Traceability	⬜	⬜
Artifact repositories enforce immutability	A.8.10	CC6.5	ICT Security	⬜	⬜
Promotion limited to trusted artifacts	A.8.21	CC6.6	Change Mgmt	⬜	⬜

🔗 Third-Party & CI/CD Integrations

Control	ISO 27001	SOC 2	DORA	Yes	No
Third-party CI/CD plugins formally approved	A.5.22	CC6.3	Third-Party Risk	⬜	⬜
Integrations pinned to specific versions	A.8.8	CC7.3	Supply Chain	⬜	⬜
Integrity verification of external actions	A.8.23	CC7.3	ICT Security	⬜	⬜
Restriction of community-maintained plugins	A.5.23	CC6.6	Risk Mgmt	⬜	⬜
Monitoring of integration usage	A.8.16	CC7.2	Monitoring	⬜	⬜

📊 Logging, Monitoring & Audit Evidence

Control	ISO 27001	SOC 2	DORA	Yes	No
CI/CD pipeline activity fully logged	A.8.15	CC7.2	Monitoring	⬜	⬜
Logs include approvals and security checks	A.8.14	CC7.3	Governance	⬜	⬜
Centralized log collection	A.8.16	CC7.2	ICT Risk Mgmt	⬜	⬜
Log retention aligned with policy	A.5.34	CC7.4	Record Keeping	⬜	⬜
Evidence supports audit and investigations	A.5.31	CC2.2	Compliance	⬜	⬜

🛡️ Change Management & Governance

Control	ISO 27001	SOC 2	DORA	Yes	No
Changes reviewed and approved via pipeline	A.8.32	CC8.1	Change Mgmt	⬜	⬜
Separation between build and deploy roles	A.6.3	CC6.3	Governance	⬜	⬜
Policy enforcement via automated gates	A.5.19	CC7.2	ICT Security	⬜	⬜
Exceptions formally approved and logged	A.5.31	CC2.3	Compliance	⬜	⬜
CI/CD governance reviewed periodically	A.5.36	CC1.2	Oversight	⬜	⬜

How to Use This Compliance Audit Table

Use during ISO 27001 internal audits
Attach to SOC 2 readiness assessments
Support DORA ICT risk management evidence
Track remediation actions in the Notes column
Review periodically as CI/CD pipelines evolve

Related Resources

CI/CD Security
CI/CD Security Checklist for Enterprises
DevSecOps
Compliance

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.