Supplier Governance & CI/CD Controls — Strict Auditor Version

February 24, 2026February 19, 2026 by Said OULMAKHZOUNE

Section A — Governance & Inventory

Control	Yes	No	Evidence Reference
Complete inventory of CI/CD-related suppliers exists	☐	☐
Supplier criticality classification defined	☐	☐
Business owner formally assigned	☐	☐
Technical owner formally assigned	☐	☐
Annual risk assessment performed	☐	☐
Sub-processor list documented	☐	☐

Section B — Contractual & Regulatory Controls

Control	Yes	No	Evidence Reference
Security obligations included in contract	☐	☐
Incident notification SLA defined	☐	☐
Audit rights clause present	☐	☐
Data location transparency included	☐	☐
Exit strategy clause contractually defined	☐	☐

Section C — Technical CI/CD Enforcement

Control	Yes	No	Evidence Reference
SSO enforced on CI/CD admin accounts	☐	☐
MFA mandatory for privileged roles	☐	☐
Role-based access with least privilege	☐	☐
Protected branches enforced	☐	☐
Mandatory production approvals configured	☐	☐
Policy gates block critical findings	☐	☐
Artifact signing enforced	☐	☐
SBOM generation automated	☐	☐
Runner isolation implemented	☐	☐

Section D — Evidence & Retention

Control	Yes	No	Evidence Reference
CI/CD logs retained per policy	☐	☐
Approval logs exportable	☐	☐
Security scan results archived centrally	☐	☐
Full traceability commit → artifact → prod	☐	☐
Evidence retention period documented	☐	☐

Section E — Exit Strategy & DR Testing

Control	Yes	No	Evidence Reference
Documented exit plan exists	☐	☐
Code export tested	☐	☐
Pipeline config export tested	☐	☐
Artifact export tested	☐	☐
DR / migration exercise performed	☐	☐

Auditor Decision Block

Overall risk rating: ___
Critical findings: ___
Remediation required by: ___
Follow-up audit date: ___