DORA Article 21 — Auditor Checklist (CI/CD & ICT Risk Management)

This checklist is designed to assess compliance with DORA Article 21 requirements through CI/CD pipeline controls and supporting ICT processes.
It supports internal audits, supervisory reviews, and regulatory assessments.

---

Article 21(1) — ICT Risk Management Framework

Control Check	Yes	No
CI/CD pipelines are included in the ICT risk management scope	⬜	⬜
ICT risks related to software delivery are formally identified	⬜	⬜
Preventive controls are enforced via CI/CD pipelines	⬜	⬜
Detection mechanisms exist for pipeline-related incidents	⬜	⬜
CI/CD supports response and recovery processes	⬜	⬜

---

Article 21(2)(a) — Access Control

Control Check	Yes	No
CI/CD access follows least privilege principles	⬜	⬜
Pipeline identities are separated from human users	⬜	⬜
RBAC is enforced for pipeline configuration	⬜	⬜
MFA is required for CI/CD administrators	⬜	⬜
Privileged actions are restricted and monitored	⬜	⬜

---

Article 21(2)(b) — Segregation of Duties

Control Check	Yes	No
Developers cannot self-approve production changes	⬜	⬜
Code review is mandatory before pipeline execution	⬜	⬜
Build and deploy permissions are separated	⬜	⬜
Overrides and exceptions are logged	⬜	⬜
Segregation of duties is reviewed periodically	⬜	⬜

---

Article 21(2)(c) — Logging and Monitoring

Control Check	Yes	No
All CI/CD executions are logged	⬜	⬜
Logs include approvals and security checks	⬜	⬜
Logs are centrally collected	⬜	⬜
Log retention meets regulatory requirements	⬜	⬜
Alerts exist for abnormal pipeline behavior	⬜	⬜

---

Article 21(2)(d) — Change Management & Integrity

Control Check	Yes	No
All production changes go through CI/CD pipelines	⬜	⬜
Artifact integrity is verified before deployment	⬜	⬜
Provenance links source code to deployed artifacts	⬜	⬜
Out-of-band deployments are prevented or logged	⬜	⬜
Change approvals are auditable	⬜	⬜

---

Article 21(2)(e) — Resilience, Backup, and Recovery

Control Check	Yes	No
CI/CD pipelines are designed for resilience	⬜	⬜
Build environments are isolated and hardened	⬜	⬜
Pipeline configurations are backed up securely	⬜	⬜
Rollback procedures are tested	⬜	⬜
CI/CD components do not represent single points of failure	⬜	⬜

---

Article 21(2)(f) — Continuous Improvement

Control Check	Yes	No
CI/CD security controls are reviewed periodically	⬜	⬜
Pipeline controls evolve with threat landscape	⬜	⬜
Lessons learned are fed back into pipelines	⬜	⬜
Compliance gaps trigger corrective actions	⬜	⬜
Management oversight includes CI/CD risk posture	⬜	⬜

---

Auditor Guidance

When using this checklist:

• Request technical evidence, not policies alone
• Verify that controls are automated and enforced
• Confirm that evidence is current and reproducible
• Assess consistency across teams and pipelines
• Pay special attention to exceptions and overrides

---

Related Resources

• DORA Article 21 Deep Dive
• Article 21 ↔ CI/CD Controls Mapping
• DORA Compliance Architecture
• Compliance

---

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.