What to Show Auditors (CI/CD, Vendors, Software Supply Chain)
Supply chain security is one of the most scrutinized areas under the NIS2 Directive. Auditors and supervisory authorities are not looking for theoretical risk statements — they expect concrete, system-generated evidence showing how supplier-related cybersecurity risks are identified, controlled, monitored, and addressed.
This article provides a practical NIS2 supply chain evidence pack, outlining what auditors typically ask for and what organizations should be able to demonstrate in practice, particularly in environments relying on CI/CD pipelines and third-party services.
Purpose of This Evidence Pack
The goal of this evidence pack is to:
- structure audit preparation around facts and proof
- avoid improvisation during supervisory reviews
- align supplier governance with CI/CD enforcement
- demonstrate compliance with NIS2 cybersecurity risk-management measures
This pack focuses on evidence, not tools or policies in isolation.
Supplier Identification and Risk Classification
What auditors typically ask
How do you identify suppliers and assess supply chain cybersecurity risks?
Evidence to provide
- A maintained supplier inventory including:
- software vendors
- SaaS providers
- CI/CD platforms
- cloud and infrastructure services
- Supplier criticality classification (e.g. critical / important / non-critical)
- Risk assessment criteria based on:
- business impact
- access level
- data sensitivity
- operational dependency
Expected evidence examples
- Supplier register or inventory export
- Risk scoring methodology (concise, structured)
- Mapping of suppliers to supported services or systems
Supplier Security Requirements and Contractual Controls
What auditors typically ask
How are cybersecurity requirements enforced on suppliers?
Evidence to provide
- Security requirements integrated into procurement processes
- Contractual clauses covering:
- cybersecurity obligations
- incident notification timelines
- right to audit or assurance
- Defined minimum security expectations for critical suppliers
Expected evidence examples
- Contract extracts (security-related sections only)
- Supplier security addenda
- Procurement or vendor onboarding checklists
Auditors generally do not require full contracts — targeted extracts are sufficient.
CI/CD Controls Supporting Supply Chain Security
What auditors typically ask
How do CI/CD pipelines reduce supply chain risk?
Evidence to provide
- CI/CD pipelines enforcing:
- protected branches and code review
- restricted pipeline modification access
- secrets management controls
- Dependency scanning (SCA) integrated into pipelines
- Policy enforcement blocking builds or deployments on critical risk
Expected evidence examples
- CI/CD pipeline definitions (YAML or configuration exports)
- Example of a failed pipeline due to dependency or policy violation
- Read-only screenshots of CI/CD security configuration
Dependency and Artifact Integrity
What auditors typically ask
How do you know that deployed software has not been tampered with?
Evidence to provide
- Software Bill of Materials (SBOM) for critical releases
- Provenance linking:
- source code
- build execution
- generated artifact
- deployment
- Artifact integrity controls (signing, verification, trusted registries)
Expected evidence examples
- SBOM file for a representative release
- Artifact repository metadata
- Deployment trace showing end-to-end linkage
Third-Party Access and Privilege Management
What auditors typically ask
Do suppliers or third-party tools have privileged access?
Evidence to provide
- Inventory of third-party and service accounts
- Least privilege justification for access
- Periodic access reviews for supplier accounts
- Approval workflows for privileged access
Expected evidence examples
- IAM role listings
- Access review reports
- Approval or ticket records
Monitoring and Detection of Supply Chain Events
What auditors typically ask
How do you detect supply chain-related security events?
Evidence to provide
- Monitoring of:
- CI/CD pipeline activity
- dependency vulnerability alerts
- anomalous third-party behavior
- Defined alerting thresholds and escalation paths
Expected evidence examples
- SIEM or monitoring rules
- Example alerts related to dependencies or pipeline anomalies
- Incident or investigation tickets (sanitized)
Incident Response and Supplier Coordination
What auditors typically ask
What happens if a supplier is compromised?
Evidence to provide
- Incident response playbooks covering:
- compromised dependencies
- compromised CI/CD components
- supplier security incidents
- Revocation and containment procedures
- Supplier escalation and communication paths
Expected evidence examples
- Incident response playbook excerpts
- Tabletop exercise or test results
- Post-incident review reports (if applicable)
Evidence Retention and Auditability
What auditors typically ask
Can you retrieve historical supply chain evidence?
Evidence to provide
- Defined retention periods for:
- CI/CD logs
- security scan results
- supplier-related records
- Centralized storage and retrieval capability
Expected evidence examples
- Retention policy documentation
- Logging platform retention configuration
- Example historical log or report retrieval
Common Audit Findings Related to Supply Chain
Auditors frequently identify issues such as:
- incomplete supplier inventories
- lack of supplier criticality classification
- CI/CD pipelines with excessive privileges
- insufficient evidence retention
- undocumented supplier exceptions
Addressing these gaps proactively significantly reduces NIS2 compliance risk.
Conclusion
NIS2 supply chain compliance is not achieved through documentation alone. It requires operational enforcement, technical controls, and continuous evidence generation across suppliers, CI/CD pipelines, and production systems.
Organizations that treat CI/CD pipelines as enforcement points for supply chain security — and maintain structured, retrievable evidence — are best positioned to meet NIS2 supervisory expectations with confidence.
Related Content
- NIS2 Security Architecture — Explained
- NIS2 Supply Chain Security Deep Dive
- Supplier Governance & CI/CD Controls Checklist
- CI/CD Security
- How Auditors Actually Review CI/CD Pipelines
