DORA Article 21 — Liste de contrôle de l’auditeur (CI/CD & gestion des risques ICT)

par

This checklist is designed to assess compliance with DORA Article 21 requirements through CI/CD pipeline controls and supporting ICT processes.
It supports internal audits, supervisory reviews, and regulatory assessments.

Article 21(1) — ICT Risk Management Framework

Control CheckYesNo
CI/CD pipelines are included in the ICT risk management scope
ICT risks related to software delivery are formally identified
Preventive controls are enforced via CI/CD pipelines
Detection mechanisms exist for pipeline-related incidents
CI/CD supports response and recovery processes

Article 21(2)(a) — Access Control

Control CheckYesNo
CI/CD access follows least privilege principles
Pipeline identities are separated from human users
RBAC is enforced for pipeline configuration
Le MFA est requis pour les administrateurs CI/CD
Privileged actions are restricted and monitored

Article 21(2)(b) — Segregation of Duties

Control CheckYesNo
Developers cannot self-approve production changes
Code review is mandatory before pipeline execution
Build and deploy permissions are separated
Overrides and exceptions are logged
Segregation of duties is reviewed periodically

Article 21(2)(c) — Logging and Monitoring

Control CheckYesNo
All CI/CD executions are logged
Logs include approvals and security checks
Logs are centrally collected
Log retention meets regulatory requirements
Alerts exist for abnormal pipeline behavior

Article 21(2)(d) — Change Management & Integrity

Control CheckYesNo
Tous les changements en production passent par les pipelines CI/CD
Artifact integrity is verified before deployment
Provenance links source code to deployed artifacts
Out-of-band deployments are prevented or logged
Change approvals are auditable

Article 21(2)(e) — Resilience, Backup, and Recovery

Control CheckYesNo
CI/CD pipelines are designed for resilience
Build environments are isolated and hardened
Pipeline configurations are backed up securely
Rollback procedures are tested
CI/CD components do not represent single points of failure

Article 21(2)(f) — Continuous Improvement

Control CheckYesNo
CI/CD security controls are reviewed periodically
Pipeline controls evolve with threat landscape
Lessons learned are fed back into pipelines
Compliance gaps trigger corrective actions
Management oversight includes CI/CD risk posture

Auditor Guidance

When using this checklist:

  • Request technical evidence, not policies alone
  • Verify that controls are automated and enforced
  • Confirm that evidence is current and reproducible
  • Assess consistency across teams and pipelines
  • Pay special attention to exceptions and overrides

Ressources connexes

Contexte “audit-ready”

Contenu conçu pour les environnements réglementés : contrôles avant outils, enforcement par politiques dans le CI/CD, et evidence-by-design pour l’audit.

Focus sur la traçabilité, les approbations, la gouvernance des exceptions et la rétention des preuves de bout en bout.

Voir la méthodologie sur la page About.