DORA Article 21 — Auditor Checklist (CI/CD & ICT Risk Management)

This checklist is designed to assess compliance with DORA Article 21 requirements through CI/CD pipeline controls and supporting ICT processes.
It supports internal audits, supervisory reviews, and regulatory assessments.

Article 21(1) — ICT Risk Management Framework

Control Check	Yes	No
CI/CD pipelines are included in the ICT risk management scope	⬜	⬜
ICT risks related to software delivery are formally identified	⬜	⬜
Preventive controls are enforced via CI/CD pipelines	⬜	⬜
Detection mechanisms exist for pipeline-related incidents	⬜	⬜
CI/CD supports response and recovery processes	⬜	⬜

Article 21(2)(a) — Access Control

Control Check	Yes	No
CI/CD access follows least privilege principles	⬜	⬜
Pipeline identities are separated from human users	⬜	⬜
RBAC is enforced for pipeline configuration	⬜	⬜
MFA is required for CI/CD administrators	⬜	⬜
Privileged actions are restricted and monitored	⬜	⬜

Article 21(2)(b) — Segregation of Duties

Control Check	Yes	No
Developers cannot self-approve production changes	⬜	⬜
Code review is mandatory before pipeline execution	⬜	⬜
Build and deploy permissions are separated	⬜	⬜
Overrides and exceptions are logged	⬜	⬜
Segregation of duties is reviewed periodically	⬜	⬜

Article 21(2)(c) — Logging and Monitoring

Control Check	Yes	No
All CI/CD executions are logged	⬜	⬜
Logs include approvals and security checks	⬜	⬜
Logs are centrally collected	⬜	⬜
Log retention meets regulatory requirements	⬜	⬜
Alerts exist for abnormal pipeline behavior	⬜	⬜

Article 21(2)(d) — Change Management & Integrity

Control Check	Yes	No
All production changes go through CI/CD pipelines	⬜	⬜
Artifact integrity is verified before deployment	⬜	⬜
Provenance links source code to deployed artifacts	⬜	⬜
Out-of-band deployments are prevented or logged	⬜	⬜
Change approvals are auditable	⬜	⬜

Article 21(2)(e) — Resilience, Backup, and Recovery

Control Check	Yes	No
CI/CD pipelines are designed for resilience	⬜	⬜
Build environments are isolated and hardened	⬜	⬜
Pipeline configurations are backed up securely	⬜	⬜
Rollback procedures are tested	⬜	⬜
CI/CD components do not represent single points of failure	⬜	⬜

Article 21(2)(f) — Continuous Improvement

Control Check	Yes	No
CI/CD security controls are reviewed periodically	⬜	⬜
Pipeline controls evolve with threat landscape	⬜	⬜
Lessons learned are fed back into pipelines	⬜	⬜
Compliance gaps trigger corrective actions	⬜	⬜
Management oversight includes CI/CD risk posture	⬜	⬜

Auditor Guidance

When using this checklist:

Request technical evidence, not policies alone
Verify that controls are automated and enforced
Confirm that evidence is current and reproducible
Assess consistency across teams and pipelines
Pay special attention to exceptions and overrides

Related Resources

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.