{"id":1215,"date":"2026-01-06T20:21:39","date_gmt":"2026-01-06T19:21:39","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/dora-article-21-evidence-pack-for-auditors-2\/"},"modified":"2026-03-26T00:07:58","modified_gmt":"2026-03-25T23:07:58","slug":"dora-article-21-evidence-pack-for-auditors","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-21-evidence-pack-for-auditors\/","title":{"rendered":"DORA Article 21 \u2014 Dossier de Preuves pour les Auditeurs"},"content":{"rendered":"\n<p><strong>Quoi montrer, o\u00f9 le trouver, et pourquoi c&rsquo;est important<\/strong><\/p>\n\n\n\n<p>Ce dossier de preuves r\u00e9pertorie les artefacts techniques et op\u00e9rationnels que les institutions financi\u00e8res doivent pr\u00e9senter pour d\u00e9montrer leur conformit\u00e9 \u00e0 DORA Article 21.<br>Il se concentre sur les pipelines CI\/CD en tant que syst\u00e8mes ICT r\u00e9glement\u00e9s et met l&rsquo;accent sur des preuves reproductibles et pr\u00eates pour l&rsquo;audit.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Comment utiliser ce dossier de preuves<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Utilisez-le comme <strong>checklist lors de la pr\u00e9paration d&rsquo;audit<\/strong><\/li>\n\n\n\n<li>Partagez-le avec les <strong>\u00e9quipes engineering, s\u00e9curit\u00e9 et conformit\u00e9<\/strong><\/li>\n\n\n\n<li>Attachez des r\u00e9f\u00e9rences aux syst\u00e8mes r\u00e9els, logs et d\u00e9p\u00f4ts<\/li>\n\n\n\n<li>Assurez-vous que les preuves sont <strong>actuelles, tra\u00e7ables et reproductibles<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(1) \u2014 Cadre de gestion des risques ICT<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Preuves \u00e0 fournir<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Registre des risques ICT<\/td><td>Pipelines CI\/CD explicitement list\u00e9s comme syst\u00e8mes ICT concern\u00e9s<\/td><\/tr><tr><td>Mod\u00e8les de menaces<\/td><td>Risques li\u00e9s au CI\/CD (abus de credentials, supply chain, int\u00e9grit\u00e9)<\/td><\/tr><tr><td>Plans de traitement des risques<\/td><td>Contr\u00f4les mapp\u00e9s aux pipelines CI\/CD<\/td><\/tr><tr><td>Documentation de gouvernance<\/td><td>Propri\u00e9t\u00e9 de la s\u00e9curit\u00e9 et des risques CI\/CD<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outils de gestion des risques<\/li>\n\n\n\n<li>Documentation d&rsquo;architecture<\/li>\n\n\n\n<li>D\u00e9p\u00f4ts de gouvernance s\u00e9curit\u00e9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(a) \u2014 Contr\u00f4le d&rsquo;acc\u00e8s<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Politiques IAM<\/td><td>Moindre privil\u00e8ge pour les comptes de service CI\/CD<\/td><\/tr><tr><td>Configuration RBAC<\/td><td>S\u00e9paration des r\u00f4les pour l&rsquo;administration des pipelines<\/td><\/tr><tr><td>Application du MFA<\/td><td>Preuve que le MFA est requis pour les utilisateurs privil\u00e9gi\u00e9s<\/td><\/tr><tr><td>Inventaire des identit\u00e9s<\/td><td>Distinction entre identit\u00e9s humaines et d&rsquo;automatisation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Plateforme IAM<\/li>\n\n\n\n<li>Configuration du syst\u00e8me CI\/CD<\/li>\n\n\n\n<li>Rapports de revue d&rsquo;acc\u00e8s<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(b) \u2014 S\u00e9paration des fonctions<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>R\u00e8gles de revue de code<\/td><td>Revue par les pairs obligatoire et appliqu\u00e9e<\/td><\/tr><tr><td>Workflows d&rsquo;approbation<\/td><td>Approbation ind\u00e9pendante pour les changements en production<\/td><\/tr><tr><td>Cartographie des r\u00f4les<\/td><td>S\u00e9paration entre les r\u00f4les de build, validation et d\u00e9ploiement<\/td><\/tr><tr><td>Journaux d&rsquo;exceptions<\/td><td>Enregistrements des d\u00e9rogations et approbations<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Plateforme de contr\u00f4le de code source<\/li>\n\n\n\n<li>D\u00e9finitions des pipelines CI\/CD<\/li>\n\n\n\n<li>Journaux d&rsquo;audit<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(c) \u2014 Journalisation et surveillance<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Logs d&rsquo;ex\u00e9cution des pipelines<\/td><td>Historique complet des ex\u00e9cutions et r\u00e9sultats<\/td><\/tr><tr><td>Logs d&rsquo;\u00e9v\u00e9nements de s\u00e9curit\u00e9<\/td><td>V\u00e9rifications \u00e9chou\u00e9es, releases bloqu\u00e9es<\/td><\/tr><tr><td>Tableaux de bord de surveillance<\/td><td>Visibilit\u00e9 sur la sant\u00e9 des pipelines<\/td><\/tr><tr><td>Politiques de r\u00e9tention des logs<\/td><td>Alignement avec les exigences r\u00e9glementaires<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Plateformes CI\/CD<\/li>\n\n\n\n<li>SIEM \/ syst\u00e8mes de journalisation<\/li>\n\n\n\n<li>Outils de surveillance<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(d) \u2014 Gestion des changements et int\u00e9grit\u00e9<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Registres de d\u00e9ploiement<\/td><td>Tous les changements en production tra\u00e7ables via les pipelines<\/td><\/tr><tr><td>Signature des artefacts<\/td><td>Preuve d&rsquo;int\u00e9grit\u00e9 cryptographique<\/td><\/tr><tr><td>M\u00e9tadonn\u00e9es de provenance<\/td><td>Lien source \u2192 build \u2192 artefact<\/td><\/tr><tr><td>Approbations de release<\/td><td>Points de d\u00e9cision auditables<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>D\u00e9p\u00f4ts d&rsquo;artefacts<\/li>\n\n\n\n<li>Magasins de m\u00e9tadonn\u00e9es CI\/CD<\/li>\n\n\n\n<li>Syst\u00e8mes de gestion des releases<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(e) \u2014 R\u00e9silience, sauvegarde et reprise<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Diagrammes d&rsquo;architecture CI\/CD<\/td><td>Redondance et isolation<\/td><\/tr><tr><td>Proc\u00e9dures de sauvegarde<\/td><td>Sauvegardes s\u00e9curis\u00e9es des configurations de pipelines<\/td><\/tr><tr><td>Tests de reprise<\/td><td>Preuves d&rsquo;exercices de rollback et de reprise<\/td><\/tr><tr><td>Playbooks d&rsquo;incidents<\/td><td>Proc\u00e9dures de r\u00e9ponse sp\u00e9cifiques au CI\/CD<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Documentation d&rsquo;architecture<\/li>\n\n\n\n<li>Syst\u00e8mes de sauvegarde<\/li>\n\n\n\n<li>Outils de gestion des incidents<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Article 21(2)(f) \u2014 Am\u00e9lioration continue<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves \u00e0 fournir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Type de preuve<\/strong><\/th><th><strong>Ce que les auditeurs attendent<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Rapports de revue<\/td><td>Revues de s\u00e9curit\u00e9 CI\/CD p\u00e9riodiques<\/td><\/tr><tr><td>Journaux de modifications<\/td><td>Am\u00e9liorations apport\u00e9es aux contr\u00f4les des pipelines<\/td><\/tr><tr><td>M\u00e9triques et KPIs<\/td><td>Indicateurs de s\u00e9curit\u00e9 et de r\u00e9silience<\/td><\/tr><tr><td>Supervision manag\u00e9riale<\/td><td>Preuves de revue de gouvernance<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sources typiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dossiers de revue de s\u00e9curit\u00e9<\/li>\n\n\n\n<li>Historique des modifications CI\/CD<\/li>\n\n\n\n<li>Comptes rendus de r\u00e9unions de gouvernance<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Pi\u00e8ges courants d&rsquo;audit (ce qu&rsquo;il ne faut PAS montrer seul)<\/strong><\/h2>\n\n\n\n<p>Les auditeurs remettront en question :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Les politiques de haut niveau sans application technique<\/li>\n\n\n\n<li>Les captures d&rsquo;\u00e9cran sans tra\u00e7abilit\u00e9<\/li>\n\n\n\n<li>Les attestations manuelles sans preuves syst\u00e8me<\/li>\n\n\n\n<li>Les exemples ponctuels au lieu de contr\u00f4les reproductibles<\/li>\n<\/ul>\n\n\n\n<p>Les preuves doivent \u00eatre <strong>g\u00e9n\u00e9r\u00e9es par le syst\u00e8me, horodat\u00e9es et reproductibles<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conseils de mise en forme pour les auditeurs<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regroupez les preuves <strong>par sous-section de l&rsquo;Article 21<\/strong><\/li>\n\n\n\n<li>Fournissez un <strong>acc\u00e8s en lecture seule<\/strong> aux logs et tableaux de bord<\/li>\n\n\n\n<li>Incluez un <strong>exemple de preuve + explication<\/strong><\/li>\n\n\n\n<li>Indiquez clairement les <strong>responsables des contr\u00f4les<\/strong><\/li>\n\n\n\n<li>\u00c9vitez de surcharger les auditeurs avec des donn\u00e9es non pertinentes<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Ressources associ\u00e9es<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/uncategorized\/dora-article-21-deep-dive-enforcing-ict-risk-controls-via-ci-cd\/\" data-type=\"post\" data-id=\"252\">DORA Article 21 Deep Dive<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/uncategorized\/dora-article-21-%e2%86%94-ci-cd-controls-mapping\/\" data-type=\"post\" data-id=\"255\">Article 21 \u2194 CI\/CD Controls Mapping<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/dora-article-21-auditor-checklist-ci-cd-ict-risk-management\/\" data-type=\"post\" data-id=\"257\">DORA Article 21 Auditor Checklist<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-compliance-architecture-ci-cd-as-a-regulated-ict-system-2\/\" data-type=\"post\" data-id=\"274\">DORA Compliance Architecture<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/compliance\/\" data-type=\"page\" data-id=\"17\">Compliance<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexte \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenu con\u00e7u pour les environnements r\u00e9glement\u00e9s : contr\u00f4les avant outils, enforcement par politiques dans le CI\/CD, et evidence-by-design pour l\u2019audit.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Focus sur la tra\u00e7abilit\u00e9, les approbations, la gouvernance des exceptions et la r\u00e9tention des preuves de bout en bout.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">Voir la m\u00e9thodologie sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quoi montrer, o\u00f9 le trouver, et pourquoi c&rsquo;est important Ce dossier de preuves r\u00e9pertorie les artefacts techniques et op\u00e9rationnels que les institutions financi\u00e8res doivent pr\u00e9senter pour d\u00e9montrer leur conformit\u00e9 \u00e0 DORA Article 21.Il se concentre sur les pipelines CI\/CD en tant que syst\u00e8mes ICT r\u00e9glement\u00e9s et met l&rsquo;accent sur des preuves reproductibles et pr\u00eates pour &#8230; <a title=\"DORA Article 21 \u2014 Dossier de Preuves pour les Auditeurs\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-21-evidence-pack-for-auditors\/\" aria-label=\"En savoir plus sur DORA Article 21 \u2014 Dossier de Preuves pour les Auditeurs\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126,122,123],"tags":[],"post_folder":[],"class_list":["post-1215","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks","category-audit-evidence","category-ci-cd-governance"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1215"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1215\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1215"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}