{"id":1218,"date":"2025-12-31T00:33:44","date_gmt":"2025-12-30T23:33:44","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/ci-cd-security-audit-compliance-mapping-iso-27001-soc-2-dora-2\/"},"modified":"2026-03-26T00:41:17","modified_gmt":"2026-03-25T23:41:17","slug":"ci-cd-security-audit-compliance-mapping-iso-27001-soc-2-dora","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/ci-cd-security-audit-compliance-mapping-iso-27001-soc-2-dora\/","title":{"rendered":"Audit de s\u00e9curit\u00e9 CI\/CD \u2014 Cartographie de conformit\u00e9 (ISO 27001 \/ SOC 2 \/ DORA)"},"content":{"rendered":"\n

Ce tableau d’audit orient\u00e9 conformit\u00e9<\/a> met en correspondance les contr\u00f4les de s\u00e9curit\u00e9 CI\/CD<\/a> avec les r\u00e9f\u00e9rentiels r\u00e9glementaires et d’assurance courants.
Il est destin\u00e9 \u00e0 soutenir les audits internes, les \u00e9valuations externes et la pr\u00e9paration r\u00e9glementaire dans les environnements d’entreprise.<\/p>\n\n\n\n

\n\n\n\n

\ud83d\udd10 Gestion des identit\u00e9s et des acc\u00e8s (IAM)<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Moindre privil\u00e8ge appliqu\u00e9 aux comptes de service CI\/CD<\/td>A.8.2 \/ A.5.15<\/td>CC6.1<\/td>ICT Risk Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
S\u00e9paration entre les identit\u00e9s humaines et de pipeline<\/td>A.6.3<\/td>CC6.3<\/td>Governance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Acc\u00e8s bas\u00e9 sur les r\u00f4les pour la configuration des pipelines<\/td>A.5.18<\/td>CC6.2<\/td>Access Control<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
MFA appliqu\u00e9 pour les administrateurs CI\/CD<\/td>A.5.17<\/td>CC6.1<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Approbation requise pour les actions de pipeline privil\u00e9gi\u00e9es<\/td>A.5.19<\/td>CC7.2<\/td>Change Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udd11 Gestion des secrets<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Secrets non stock\u00e9s dans le contr\u00f4le de source<\/td>A.8.12<\/td>CC6.1<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Injection des secrets au moment de l’ex\u00e9cution<\/td>A.8.24<\/td>CC6.7<\/td>ICT Risk Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Secrets limit\u00e9s par environnement<\/td>A.5.15<\/td>CC6.2<\/td>Governance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Rotation r\u00e9guli\u00e8re des secrets<\/td>A.8.15<\/td>CC6.1<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Valeurs des secrets exclues des journaux<\/td>A.8.16<\/td>CC7.2<\/td>Monitoring<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udce6 Int\u00e9grit\u00e9 des artefacts et cha\u00eene d’approvisionnement logicielle<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Environnements de build CI\/CD durcis<\/td>A.8.20<\/td>CC6.6<\/td>ICT Resilience<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Signature des artefacts appliqu\u00e9e<\/td>A.8.23<\/td>CC7.3<\/td>Supply Chain<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Provenance reliant code, pipeline et artefact<\/td>A.8.9<\/td>CC7.2<\/td>Traceability<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
D\u00e9p\u00f4ts d’artefacts appliquant l’immuabilit\u00e9<\/td>A.8.10<\/td>CC6.5<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Promotion limit\u00e9e aux artefacts de confiance<\/td>A.8.21<\/td>CC6.6<\/td>Change Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udd17 Int\u00e9grations tierces et CI\/CD<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Plugins CI\/CD tiers formellement approuv\u00e9s<\/td>A.5.22<\/td>CC6.3<\/td>Third-Party Risk<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Int\u00e9grations \u00e9pingl\u00e9es \u00e0 des versions sp\u00e9cifiques<\/td>A.8.8<\/td>CC7.3<\/td>Supply Chain<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
V\u00e9rification d’int\u00e9grit\u00e9 des actions externes<\/td>A.8.23<\/td>CC7.3<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Restriction des plugins maintenus par la communaut\u00e9<\/td>A.5.23<\/td>CC6.6<\/td>Risk Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Surveillance de l’utilisation des int\u00e9grations<\/td>A.8.16<\/td>CC7.2<\/td>Monitoring<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udcca Journalisation, surveillance et preuves d’audit<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Activit\u00e9 des pipelines CI\/CD enti\u00e8rement journalis\u00e9e<\/td>A.8.15<\/td>CC7.2<\/td>Monitoring<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Les journaux incluent les approbations et les contr\u00f4les de s\u00e9curit\u00e9<\/td>A.8.14<\/td>CC7.3<\/td>Governance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Collecte centralis\u00e9e des journaux<\/td>A.8.16<\/td>CC7.2<\/td>ICT Risk Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
R\u00e9tention des journaux align\u00e9e sur la politique<\/td>A.5.34<\/td>CC7.4<\/td>Record Keeping<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Les preuves supportent les audits et les investigations<\/td>A.5.31<\/td>CC2.2<\/td>Compliance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udee1\ufe0f Gestion des changements et gouvernance<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>ISO 27001<\/strong><\/th>SOC 2<\/strong><\/th>DORA<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Changements revus et approuv\u00e9s via le pipeline<\/td>A.8.32<\/td>CC8.1<\/td>Change Mgmt<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
S\u00e9paration entre les r\u00f4les de build et de d\u00e9ploiement<\/td>A.6.3<\/td>CC6.3<\/td>Governance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Application des politiques via des portes automatis\u00e9es<\/td>A.5.19<\/td>CC7.2<\/td>ICT Security<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Exceptions formellement approuv\u00e9es et journalis\u00e9es<\/td>A.5.31<\/td>CC2.3<\/td>Compliance<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Gouvernance CI\/CD revue p\u00e9riodiquement<\/td>A.5.36<\/td>CC1.2<\/td>Oversight<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

Comment utiliser ce tableau d’audit de conformit\u00e9<\/h2>\n\n\n\n