{"id":1251,"date":"2025-12-31T00:33:24","date_gmt":"2025-12-30T23:33:24","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/ci-cd-security-audit-compliance-mapping-nis2-pci-dss-2\/"},"modified":"2026-03-26T00:41:29","modified_gmt":"2026-03-25T23:41:29","slug":"ci-cd-security-audit-compliance-mapping-nis2-pci-dss","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/ci-cd-security-audit-compliance-mapping-nis2-pci-dss\/","title":{"rendered":"Audit de s\u00e9curit\u00e9 CI\/CD \u2014 Cartographie de conformit\u00e9 (NIS2 \/ PCI DSS)"},"content":{"rendered":"\n

Ce tableau d’audit met en correspondance les contr\u00f4les de s\u00e9curit\u00e9 CI\/CD<\/a> avec les exigences de la directive NIS2 et les contr\u00f4les PCI DSS.
Il soutient la gestion des risques, la s\u00e9curit\u00e9 de la cha\u00eene d’approvisionnement et la pr\u00e9paration aux audits pour les syst\u00e8mes critiques et li\u00e9s aux paiements.<\/p>\n\n\n\n

\n\n\n\n

\ud83d\udd10 Gestion des identit\u00e9s et des acc\u00e8s (IAM)<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Moindre privil\u00e8ge appliqu\u00e9 aux comptes de service CI\/CD<\/td>Art. 21(2)(b)<\/td>Req. 7.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
S\u00e9paration des identit\u00e9s humaines et de pipeline<\/td>Art. 21(2)(d)<\/td>Req. 7.1<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
RBAC appliqu\u00e9 pour les syst\u00e8mes CI\/CD<\/td>Art. 21(2)(b)<\/td>Req. 7.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
MFA appliqu\u00e9 pour les administrateurs CI\/CD<\/td>Art. 21(2)(a)<\/td>Req. 8.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Les actions privil\u00e9gi\u00e9es n\u00e9cessitent une approbation<\/td>Art. 21(2)(d)<\/td>Req. 6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udd11 Gestion des secrets et des identifiants<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Secrets non stock\u00e9s dans le code source<\/td>Art. 21(2)(a)<\/td>Req. 3.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Injection des secrets au moment de l’ex\u00e9cution<\/td>Art. 21(2)(a)<\/td>Req. 3.6<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Identifiants limit\u00e9s par environnement<\/td>Art. 21(2)(b)<\/td>Req. 7.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Rotation r\u00e9guli\u00e8re des secrets<\/td>Art. 21(2)(c)<\/td>Req. 3.6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Secrets exclus des journaux<\/td>Art. 21(2)(a)<\/td>Req. 10.5<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udce6 Cha\u00eene d’approvisionnement logicielle et int\u00e9grit\u00e9 des artefacts<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Environnements de build CI\/CD durcis<\/td>Art. 21(2)(e)<\/td>Req. 6.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Signature des artefacts appliqu\u00e9e<\/td>Art. 21(2)(e)<\/td>Req. 6.3<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Provenance et tra\u00e7abilit\u00e9 des artefacts<\/td>Art. 21(2)(e)<\/td>Req. 6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
D\u00e9p\u00f4ts d’artefacts immuables<\/td>Art. 21(2)(a)<\/td>Req. 6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Seuls les artefacts de confiance sont promus<\/td>Art. 21(2)(d)<\/td>Req. 6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udd17 Int\u00e9grations tierces et CI\/CD<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Outils CI\/CD tiers formellement approuv\u00e9s<\/td>Art. 21(2)(e)<\/td>Req. 12.8<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Actions tierces \u00e9pingl\u00e9es \u00e0 des versions sp\u00e9cifiques<\/td>Art. 21(2)(e)<\/td>Req. 6.3<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Int\u00e9grit\u00e9 des composants CI\/CD externes v\u00e9rifi\u00e9e<\/td>Art. 21(2)(e)<\/td>Req. 6.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Plugins communautaires restreints<\/td>Art. 21(2)(b)<\/td>Req. 6.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Activit\u00e9 des int\u00e9grations surveill\u00e9e<\/td>Art. 21(2)(c)<\/td>Req. 10.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udcca Journalisation, surveillance et pr\u00e9paration aux incidents<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
Activit\u00e9 des pipelines CI\/CD enti\u00e8rement journalis\u00e9e<\/td>Art. 21(2)(c)<\/td>Req. 10.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Les journaux incluent les approbations et les \u00e9v\u00e9nements de s\u00e9curit\u00e9<\/td>Art. 21(2)(c)<\/td>Req. 10.3<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Journalisation centralis\u00e9e activ\u00e9e<\/td>Art. 21(2)(c)<\/td>Req. 10.5<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
R\u00e9tention des journaux align\u00e9e sur la politique<\/td>Art. 21(2)(c)<\/td>Req. 10.7<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Les journaux CI\/CD supportent l’investigation des incidents<\/td>Art. 23<\/td>Req. 12.10<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

\ud83d\udee1\ufe0f Gouvernance, risques et gestion des changements<\/h2>\n\n\n\n
Contr\u00f4le<\/strong><\/th>NIS2<\/strong><\/th>PCI DSS<\/strong><\/th>Oui<\/strong><\/th>Non<\/strong><\/th><\/tr><\/thead>
CI\/CD inclus dans la gestion des risques de cybers\u00e9curit\u00e9<\/td>Art. 21<\/td>Req. 12.2<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
S\u00e9paration des fonctions appliqu\u00e9e<\/td>Art. 21(2)(d)<\/td>Req. 7.1<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Approbations des changements appliqu\u00e9es via les pipelines<\/td>Art. 21(2)(d)<\/td>Req. 6.4<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Exceptions formellement approuv\u00e9es et document\u00e9es<\/td>Art. 21(2)(b)<\/td>Req. 12.3<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr>
Posture de s\u00e9curit\u00e9 CI\/CD revue p\u00e9riodiquement<\/td>Art. 21(2)(f)<\/td>Req. 12.11<\/td>\u2b1c<\/td>\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n

Comment utiliser ce tableau d’audit NIS2 \/ PCI DSS<\/h2>\n\n\n\n