{"id":1319,"date":"2026-03-04T08:05:37","date_gmt":"2026-03-04T07:05:37","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/dora-article-28-controls-evidence-mapping-2\/"},"modified":"2026-03-26T00:16:00","modified_gmt":"2026-03-25T23:16:00","slug":"dora-article-28-controls-evidence-mapping","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-controls-evidence-mapping\/","title":{"rendered":"DORA Article 28 \u2014 Mapping des contr\u00f4les et preuves"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Cet article relie les obligations de DORA Article 28 aux contr\u00f4les techniques concrets et aux preuves que les auditeurs s&rsquo;attendent \u00e0 v\u00e9rifier. Il fait le pont entre deux perspectives compl\u00e9mentaires :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>De l&rsquo;outillage aux preuves<\/strong> : comment les outils DevSecOps et CI\/CD couramment utilis\u00e9s en entreprise appliquent les contr\u00f4les et produisent des sorties pr\u00eates pour l&rsquo;audit.<\/li>\n\n\n\n<li><strong>De la r\u00e9glementation aux preuves<\/strong> : comment chaque exigence de l&rsquo;Article 28 se mappe \u00e0 des contr\u00f4les impl\u00e9mentables et des preuves v\u00e9rifiables.<\/li>\n<\/ul>\n\n\n\n<p>L&rsquo;objectif est d&rsquo;\u00e9liminer l&rsquo;ambigu\u00eft\u00e9 entre le texte r\u00e9glementaire, l&rsquo;outillage, la gouvernance et la conformit\u00e9 \u2014 et de fournir une r\u00e9f\u00e9rence unique pour la pr\u00e9paration des audits et la conformit\u00e9 continue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mapping par obligation de l&rsquo;Article 28<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Identification des tiers ICT<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les entit\u00e9s financi\u00e8res doivent identifier et maintenir un inventaire de tous les prestataires de services ICT tiers.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Inventaire centralis\u00e9 des fournisseurs ICT<\/td><td>Export du registre fournisseurs<\/td><\/tr><tr><td>Enregistrement obligatoire des outils CI\/CD, cloud, SaaS<\/td><td>Enregistrements d&rsquo;inventaire incluant les outils CI\/CD<\/td><\/tr><tr><td>Propri\u00e9t\u00e9 et mapping m\u00e9tier<\/td><td>Mapping fournisseur \u2192 service m\u00e9tier<\/td><\/tr><tr><td>Revue p\u00e9riodique de l&rsquo;inventaire<\/td><td>Comptes rendus \/ journaux de revue<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Classification de criticit\u00e9<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les prestataires de services ICT tiers doivent \u00eatre class\u00e9s en fonction de leur criticit\u00e9 et du risque.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Cadre de classification des fournisseurs bas\u00e9 sur le risque<\/td><td>M\u00e9thodologie de classification<\/td><\/tr><tr><td>Identification des fournisseurs ICT critiques<\/td><td>Liste des fournisseurs critiques<\/td><\/tr><tr><td>Outils CI\/CD class\u00e9s lorsqu&rsquo;ils supportent des services critiques<\/td><td>Mapping CI\/CD \u2192 services<\/td><\/tr><tr><td>Escalade de gouvernance pour les fournisseurs critiques<\/td><td>Enregistrements du comit\u00e9 des risques<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Due diligence pr\u00e9-contractuelle<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Des \u00e9valuations des risques doivent \u00eatre r\u00e9alis\u00e9es avant la conclusion d&rsquo;arrangements contractuels.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Processus de due diligence de s\u00e9curit\u00e9<\/td><td>Rapports de due diligence<\/td><\/tr><tr><td>\u00c9valuation des risques couvrant les risques ICT et op\u00e9rationnels<\/td><td>Documents d&rsquo;\u00e9valuation des risques<\/td><\/tr><tr><td>Revue de divulgation des sous-traitants<\/td><td>Divulgations fournisseurs<\/td><\/tr><tr><td>Approbation formelle avant onboarding<\/td><td>Enregistrements d&rsquo;approbation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Garanties contractuelles<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les contrats doivent inclure des dispositions minimales de s\u00e9curit\u00e9, d&rsquo;audit et de sortie.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Clauses contractuelles standard pour les fournisseurs ICT<\/td><td>Extraits de clauses contractuelles<\/td><\/tr><tr><td>Droits d&rsquo;audit et d&rsquo;inspection<\/td><td>Contrats sign\u00e9s<\/td><\/tr><tr><td>SLA de notification d&rsquo;incident<\/td><td>Documentation SLA<\/td><\/tr><tr><td>Obligations de r\u00e9tention des preuves<\/td><td>Termes contractuels<\/td><\/tr><tr><td>Clauses de sortie et de r\u00e9siliation<\/td><td>Dispositions de sortie<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">5. Contr\u00f4le d&rsquo;acc\u00e8s &amp; s\u00e9paration des t\u00e2ches<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> L&rsquo;acc\u00e8s aux services ICT doit \u00eatre contr\u00f4l\u00e9 de mani\u00e8re appropri\u00e9e.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Contr\u00f4le d&rsquo;acc\u00e8s bas\u00e9 sur les r\u00f4les (RBAC)<\/td><td>Exports de configuration IAM<\/td><\/tr><tr><td>S\u00e9paration des t\u00e2ches dans le CI\/CD<\/td><td>Matrice d&rsquo;acc\u00e8s<\/td><\/tr><tr><td>Surveillance des acc\u00e8s privil\u00e9gi\u00e9s<\/td><td>Journaux d&rsquo;acc\u00e8s<\/td><\/tr><tr><td>Revues d&rsquo;acc\u00e8s p\u00e9riodiques<\/td><td>Rapports de revue<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">6. Contr\u00f4les d&rsquo;application CI\/CD<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les contr\u00f4les doivent pr\u00e9venir les changements non autoris\u00e9s et assurer l&rsquo;int\u00e9grit\u00e9.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Approbations obligatoires et barri\u00e8res de politique<\/td><td>Configurations de pipeline<\/td><\/tr><tr><td>Application policy-as-code<\/td><td>D\u00e9finitions de politiques<\/td><\/tr><tr><td>Runners CI\/CD contr\u00f4l\u00e9s<\/td><td>Configuration des runners<\/td><\/tr><tr><td>Protection de l&rsquo;int\u00e9grit\u00e9 des artefacts<\/td><td>SBOM, rapports de signature<\/td><\/tr><tr><td>Tra\u00e7abilit\u00e9 des changements<\/td><td>Journaux d&rsquo;audit CI\/CD<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">7. Surveillance &amp; gestion des incidents<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les risques ICT tiers doivent \u00eatre surveill\u00e9s en continu.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Surveillance continue des services ICT<\/td><td>Tableaux de bord de surveillance<\/td><\/tr><tr><td>Alertes sur les d\u00e9faillances tierces<\/td><td>Journaux d&rsquo;alertes<\/td><\/tr><tr><td>Suivi des incidents<\/td><td>Tickets d&rsquo;incident<\/td><\/tr><tr><td>Proc\u00e9dures d&rsquo;escalade des incidents<\/td><td>Workflows d&rsquo;incident<\/td><\/tr><tr><td>Revues post-incident<\/td><td>Rapports RCA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">8. Gouvernance des sous-traitants<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les risques d\u00e9coulant des cha\u00eenes de sous-traitance doivent \u00eatre g\u00e9r\u00e9s.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Visibilit\u00e9 sur les sous-traitants<\/td><td>Divulgations fournisseurs<\/td><\/tr><tr><td>Processus d&rsquo;approbation des sous-traitants<\/td><td>Enregistrements d&rsquo;approbation<\/td><\/tr><tr><td>\u00c9valuations des risques pour les sous-traitants<\/td><td>Rapports de risques<\/td><\/tr><tr><td>Surveillance des changements de sous-traitants<\/td><td>Notifications de changements<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">9. Strat\u00e9gie de sortie &amp; r\u00e9silience<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les strat\u00e9gies de sortie doivent assurer la continuit\u00e9 en cas de d\u00e9faillance du fournisseur.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Strat\u00e9gies de sortie document\u00e9es<\/td><td>Plans de sortie<\/td><\/tr><tr><td>\u00c9valuations de faisabilit\u00e9<\/td><td>Rapports de faisabilit\u00e9<\/td><\/tr><tr><td>Tests de sortie ou de repli<\/td><td>Rapports de tests<\/td><\/tr><tr><td>Revue p\u00e9riodique des plans de sortie<\/td><td>Enregistrements de revue<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">10. Gestion &amp; r\u00e9tention des preuves<\/h3>\n\n\n\n<p><strong>Exigence Article 28 :<\/strong> Les preuves doivent \u00eatre disponibles, prot\u00e9g\u00e9es et conserv\u00e9es.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les impl\u00e9ment\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>R\u00e9f\u00e9rentiel centralis\u00e9 de preuves<\/td><td>Stockage des preuves<\/td><\/tr><tr><td>Journaux horodat\u00e9s et immuables<\/td><td>Configuration des journaux<\/td><\/tr><tr><td>Politiques de r\u00e9tention appliqu\u00e9es<\/td><td>Documents de politique de r\u00e9tention<\/td><\/tr><tr><td>Acc\u00e8s contr\u00f4l\u00e9 aux preuves<\/td><td>Journaux d&rsquo;acc\u00e8s<\/td><\/tr><tr><td>Production de preuves \u00e0 la demande<\/td><td>Extraits d&rsquo;audit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Mapping par cat\u00e9gorie d&rsquo;outillage<\/h2>\n\n\n\n<p>La section suivante mappe les outils DevSecOps d&rsquo;entreprise couramment utilis\u00e9s aux contr\u00f4les qu&rsquo;ils appliquent et aux preuves qu&rsquo;ils produisent sous DORA Article 28.<\/p>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1200 520\"\n     role=\"img\"\n     aria-labelledby=\"title desc\"\n     data-theme=\"light\">\n  <title id=\"title\">DORA Article 28 \u2014 Tools \u2192 Controls \u2192 Evidence<\/title>\n  <desc id=\"desc\">\n    Diagram mapping enterprise DevSecOps tooling to enforceable CI\/CD controls and resulting audit evidence,\n    with cross-cutting DORA Article 28 third-party governance requirements.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n\n      --sec:#7c3aed;\n      --secSoft:#ede9fe;\n\n      --ev:#059669;\n      --evSoft:#d1fae5;\n\n      --warn:#b45309;\n      --warnSoft:#ffedd5;\n    }\n\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n\n      --accent:#60a5fa;\n      --accentSoft:#0b2a55;\n\n      --sec:#a78bfa;\n      --secSoft:#2a144d;\n\n      --ev:#34d399;\n      --evSoft:#063a2c;\n\n      --warn:#f59e0b;\n      --warnSoft:#3b2a07;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:800;font-size:22px;fill:var(--text);}\n    .sub{font-weight:500;font-size:14px;fill:var(--muted);}\n\n    .label{font-weight:900;font-size:12px;fill:var(--text);letter-spacing:.06em;}\n    .h{font-weight:800;font-size:14px;fill:var(--text);}\n    .small{font-weight:600;font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .panel{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:7;}\n    .chipText{font-weight:800;font-size:12px;fill:var(--text);}\n\n    .tools .chip{stroke:var(--accent);fill:var(--accentSoft);}\n    .controls .chip{stroke:var(--sec);fill:var(--secSoft);}\n    .evidence .chip{stroke:var(--ev);fill:var(--evSoft);}\n    .warn .chip{stroke:var(--warn);fill:var(--warnSoft);}\n\n    .flow{fill:none;stroke:var(--stroke);stroke-width:2.5;stroke-linecap:round;stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n    .link{fill:none;stroke:var(--accent);stroke-width:2.5;stroke-linecap:round;stroke-dasharray:7 7;opacity:.85;}\n\n    .band{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n    .bandTitle{font-weight:900;font-size:12px;fill:var(--muted);letter-spacing:.06em;}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">Tools \u2192 Controls \u2192 Evidence<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">DORA Article 28 view: third-party ICT governance enforced through CI\/CD controls and provable evidence.<\/text>\n\n  <!-- Cross-cutting controls band -->\n  <g transform=\"translate(40,92)\">\n    <rect class=\"band\" x=\"0\" y=\"0\" width=\"1120\" height=\"62\"\/>\n    <text class=\"txt bandTitle\" x=\"18\" y=\"36\">CROSS-CUTTING (ARTICLE 28)<\/text>\n\n    <g class=\"warn\" transform=\"translate(320,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"170\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"85\" y=\"20\" text-anchor=\"middle\">Supplier governance<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(500,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"150\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"75\" y=\"20\" text-anchor=\"middle\">Contract clauses<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(660,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"120\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"60\" y=\"20\" text-anchor=\"middle\">Monitoring<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(790,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"110\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"55\" y=\"20\" text-anchor=\"middle\">Exit plan<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(910,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"190\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"95\" y=\"20\" text-anchor=\"middle\">Evidence retention<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Main panels -->\n  <g transform=\"translate(40,160)\">\n    <rect class=\"panel\" x=\"0\" y=\"0\" width=\"1120\" height=\"300\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">MAPPING LAYER<\/text>\n  <\/g>\n\n  <!-- Column titles -->\n  <text class=\"txt h\" x=\"120\" y=\"210\">Tools<\/text>\n  <text class=\"txt small\" x=\"120\" y=\"232\">Platforms &amp; services<\/text>\n\n  <text class=\"txt h\" x=\"520\" y=\"210\">Controls<\/text>\n  <text class=\"txt small\" x=\"520\" y=\"232\">Enforced requirements<\/text>\n\n  <text class=\"txt h\" x=\"900\" y=\"210\">Evidence<\/text>\n  <text class=\"txt small\" x=\"900\" y=\"232\">What auditors verify<\/text>\n\n  <!-- Tools cards -->\n  <g transform=\"translate(80,250)\" class=\"tools\">\n    <rect class=\"card\" width=\"300\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">TOOLS<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Git \/ Source Hosting<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">CI\/CD Orchestrator + Runners<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Registries + Dependencies<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Cloud Runtime + Observability<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Controls cards -->\n  <g transform=\"translate(450,250)\" class=\"controls\">\n    <rect class=\"card\" width=\"320\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">CONTROLS<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Access control + MFA + SoD<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Approvals + policy gates<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Integrity: SBOM + signing + provenance<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Monitoring + incident workflows<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Evidence cards -->\n  <g transform=\"translate(820,250)\" class=\"evidence\">\n    <rect class=\"card\" width=\"300\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">EVIDENCE<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Audit logs + access reviews<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Approvals &amp; change traceability<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">SBOM + attestations + signatures<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Monitoring data + incident records<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Main flow arrows -->\n  <path class=\"flow arrow\" d=\"M 380 360 L 450 360\"\/>\n  <path class=\"flow arrow\" d=\"M 770 360 L 820 360\"\/>\n\n  <!-- Dotted alignment links (tool -> control -> evidence rows) -->\n  <!-- Row 1 -->\n  <path class=\"link\" d=\"M 360 313 L 470 313\"\/>\n  <path class=\"link\" d=\"M 750 313 L 840 313\"\/>\n  <!-- Row 2 -->\n  <path class=\"link\" d=\"M 360 349 L 470 349\"\/>\n  <path class=\"link\" d=\"M 750 349 L 840 349\"\/>\n  <!-- Row 3 -->\n  <path class=\"link\" d=\"M 360 385 L 470 385\"\/>\n  <path class=\"link\" d=\"M 750 385 L 840 385\"\/>\n  <!-- Row 4 -->\n  <path class=\"link\" d=\"M 360 421 L 470 421\"\/>\n  <path class=\"link\" d=\"M 750 421 L 840 421\"\/>\n\n  <!-- Footer note -->\n  <text class=\"txt small\" x=\"60\" y=\"500\">\n    Tip: Under DORA Article 28, tools are acceptable only if they enforce controls and continuously produce auditable evidence.\n  <\/text>\n<\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Diagram mapping enterprise DevSecOps tooling to enforceable CI\/CD controls and resulting audit evidence,\n    with cross-cutting DORA Article 28 third-party governance requirements.\n<\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">1. Gestion du code source (Plateformes Git)<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> GitHub Enterprise, GitLab, Bitbucket<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Contr\u00f4le d&rsquo;acc\u00e8s bas\u00e9 sur les r\u00f4les<\/td><td>Journaux d&rsquo;acc\u00e8s aux d\u00e9p\u00f4ts<\/td><\/tr><tr><td>S\u00e9paration des t\u00e2ches (PR vs merge)<\/td><td>R\u00e8gles de protection des branches<\/td><\/tr><tr><td>Revues et approbations obligatoires<\/td><td>Historique des pull requests<\/td><\/tr><tr><td>Tra\u00e7abilit\u00e9 des changements<\/td><td>Historique des commits<\/td><\/tr><tr><td>Gouvernance des acc\u00e8s tiers<\/td><td>Journaux d&rsquo;audit des utilisateurs et tokens<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Les plateformes Git sont des prestataires ICT tiers influen\u00e7ant l&rsquo;int\u00e9grit\u00e9 du code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Plateformes d&rsquo;orchestration CI\/CD<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> GitHub Actions, GitLab CI, Jenkins (manag\u00e9), Azure DevOps Pipelines<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Barri\u00e8res d&rsquo;approbation dans le pipeline<\/td><td>Exports de configuration de pipeline<\/td><\/tr><tr><td>Application policy-as-code<\/td><td>D\u00e9finitions de politiques<\/td><\/tr><tr><td>Environnements d&rsquo;ex\u00e9cution contr\u00f4l\u00e9s<\/td><td>Configuration des runners<\/td><\/tr><tr><td>Tokens de pipeline \u00e0 moindre privil\u00e8ge<\/td><td>Configuration de la port\u00e9e des tokens<\/td><\/tr><tr><td>Journalisation des changements de pipeline<\/td><td>Journaux d&rsquo;audit CI\/CD<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Les plateformes CI\/CD SaaS doivent \u00eatre gouvern\u00e9es en tant que fournisseurs ICT critiques.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. S\u00e9curit\u00e9 du build &amp; des d\u00e9pendances (SCA \/ SBOM)<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> Snyk, Dependency-Check, Mend, GitHub Dependabot, Syft \/ CycloneDX<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Analyse des risques de d\u00e9pendances<\/td><td>Rapports SCA<\/td><\/tr><tr><td>G\u00e9n\u00e9ration de SBOM<\/td><td>Fichiers SBOM<\/td><\/tr><tr><td>Suivi de provenance<\/td><td>M\u00e9tadonn\u00e9es de build<\/td><\/tr><tr><td>Surveillance des vuln\u00e9rabilit\u00e9s<\/td><td>Alertes et rapports<\/td><\/tr><tr><td>Transparence de la cha\u00eene d&rsquo;approvisionnement<\/td><td>Inventaires de d\u00e9pendances<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Fournit une visibilit\u00e9 sur les risques logiciels tiers et les sous-traitants.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. D\u00e9p\u00f4ts d&rsquo;artefacts &amp; registres<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> Artifactory, Nexus, registres Docker, registres de conteneurs cloud<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Contr\u00f4le d&rsquo;acc\u00e8s aux artefacts<\/td><td>Journaux d&rsquo;acc\u00e8s aux d\u00e9p\u00f4ts<\/td><\/tr><tr><td>Immutabilit\u00e9 des artefacts<\/td><td>Configuration du d\u00e9p\u00f4t<\/td><\/tr><tr><td>Signature des artefacts<\/td><td>V\u00e9rification des signatures<\/td><\/tr><tr><td>V\u00e9rification de provenance<\/td><td>Enregistrements d&rsquo;attestation<\/td><\/tr><tr><td>Politiques de r\u00e9tention<\/td><td>Configuration de r\u00e9tention<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Prot\u00e8ge l&rsquo;int\u00e9grit\u00e9 des livrables fournis par les syst\u00e8mes tiers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Plateformes runtime &amp; cloud<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> AWS \/ Azure \/ GCP, plateformes Kubernetes, services PaaS manag\u00e9s<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>IAM et s\u00e9paration des r\u00f4les<\/td><td>Exports de politiques IAM<\/td><\/tr><tr><td>Isolation r\u00e9seau<\/td><td>Configurations des groupes de s\u00e9curit\u00e9<\/td><\/tr><tr><td>Surveillance runtime<\/td><td>Journaux et m\u00e9triques<\/td><\/tr><tr><td>D\u00e9tection d&rsquo;incidents<\/td><td>Alertes<\/td><\/tr><tr><td>Surveillance de la disponibilit\u00e9<\/td><td>Rapports SLA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Les fournisseurs cloud sont des prestataires de services ICT tiers critiques.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Gestion des secrets<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> HashiCorp Vault, gestionnaires de secrets cloud-natifs, stockage de secrets CI\/CD<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Stockage centralis\u00e9 des secrets<\/td><td>Inventaire des secrets<\/td><\/tr><tr><td>Restriction d&rsquo;acc\u00e8s<\/td><td>Journaux d&rsquo;acc\u00e8s<\/td><\/tr><tr><td>Rotation des secrets<\/td><td>Enregistrements de rotation<\/td><\/tr><tr><td>Pr\u00e9vention des secrets cod\u00e9s en dur<\/td><td>Rapports de scan<\/td><\/tr><tr><td>Auditabilit\u00e9<\/td><td>Pistes d&rsquo;acc\u00e8s aux secrets<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Contr\u00f4le l&rsquo;acc\u00e8s aux donn\u00e9es sensibles g\u00e9r\u00e9es par des plateformes tierces.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. Surveillance, journalisation &amp; SIEM<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> Splunk, Elastic, Datadog, journalisation cloud-native<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Collecte centralis\u00e9e des journaux<\/td><td>Enregistrements d&rsquo;ingestion des journaux<\/td><\/tr><tr><td>Surveillance des services tiers<\/td><td>Tableaux de bord<\/td><\/tr><tr><td>Alertes sur les incidents<\/td><td>Journaux d&rsquo;alertes<\/td><\/tr><tr><td>Corr\u00e9lation des incidents<\/td><td>Tickets d&rsquo;incident<\/td><\/tr><tr><td>R\u00e9tention des preuves<\/td><td>Politiques de r\u00e9tention<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Supporte les obligations de surveillance continue et de preuves d&rsquo;incidents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8. Gestion des identit\u00e9s &amp; des acc\u00e8s (IAM)<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> IAM d&rsquo;entreprise, IAM cloud, plateformes SSO<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Gestion centralis\u00e9e des identit\u00e9s<\/td><td>Inventaires utilisateurs<\/td><\/tr><tr><td>Application du MFA<\/td><td>Journaux d&rsquo;authentification<\/td><\/tr><tr><td>S\u00e9paration des r\u00f4les<\/td><td>D\u00e9finitions des r\u00f4les<\/td><\/tr><tr><td>Revues d&rsquo;acc\u00e8s<\/td><td>Enregistrements de revue<\/td><\/tr><tr><td>R\u00e9vocation d&rsquo;acc\u00e8s<\/td><td>Journaux de d\u00e9part<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Assure un acc\u00e8s contr\u00f4l\u00e9 aux plateformes ICT tierces.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9. Plateformes de gouvernance &amp; gestion des risques<\/h3>\n\n\n\n<p><strong>Outils typiques :<\/strong> Plateformes GRC, CMDB, registres de risques<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Contr\u00f4les appliqu\u00e9s<\/th><th>Preuves produites<\/th><\/tr><\/thead><tbody><tr><td>Inventaire des fournisseurs<\/td><td>Registres fournisseurs<\/td><\/tr><tr><td>\u00c9valuations des risques<\/td><td>Rapports de risques<\/td><\/tr><tr><td>Classification de criticit\u00e9<\/td><td>Enregistrements de classification<\/td><\/tr><tr><td>Propri\u00e9t\u00e9 des contr\u00f4les<\/td><td>Documentation RACI<\/td><\/tr><tr><td>Pr\u00e9paration d&rsquo;audit<\/td><td>R\u00e9f\u00e9rentiels de preuves<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Pertinence Article 28 :<\/strong> Fournit la colonne vert\u00e9brale de gouvernance pour la gestion des risques ICT tiers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vue de bout en bout<\/h2>\n\n\n\n<p>Sous DORA Article 28 :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Les outils<\/strong> ne sont pas synonymes de conformit\u00e9.<\/li>\n\n\n\n<li><strong>Les contr\u00f4les<\/strong> cr\u00e9ent la conformit\u00e9.<\/li>\n\n\n\n<li><strong>Les preuves<\/strong> prouvent la conformit\u00e9.<\/li>\n<\/ul>\n\n\n\n<p>Les outils ne sont acceptables que s&rsquo;ils appliquent des contr\u00f4les et g\u00e9n\u00e8rent des preuves v\u00e9rifiables.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Comment les auditeurs utilisent ce mapping<\/h2>\n\n\n\n<p>Les auditeurs proc\u00e8dent typiquement ainsi :<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Partir des <strong>exigences de l&rsquo;Article 28<\/strong> (mapping des obligations).<\/li>\n\n\n\n<li>Identifier le <strong>prestataire ICT tiers<\/strong> et sa cat\u00e9gorie d&rsquo;outillage.<\/li>\n\n\n\n<li>V\u00e9rifier que les <strong>contr\u00f4les existent et fonctionnent<\/strong> via l&rsquo;outillage.<\/li>\n\n\n\n<li>Demander les <strong>sorties de preuves directes<\/strong> pour chaque contr\u00f4le.<\/li>\n\n\n\n<li>Valider la <strong>coh\u00e9rence dans le temps<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>Tout lien manquant entre obligation \u2192 contr\u00f4le \u2192 preuve, ou entre outil \u2192 contr\u00f4le \u2192 preuve, est un constat potentiel. Si un contr\u00f4le ne peut pas produire de preuve, il est consid\u00e9r\u00e9 comme inefficace.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Point cl\u00e9<\/h2>\n\n\n\n<p>La conformit\u00e9 \u00e0 DORA Article 28 est atteinte lorsque chaque exigence r\u00e9glementaire est tra\u00e7able vers des contr\u00f4les, et que chaque contr\u00f4le produit des preuves \u2014 ind\u00e9pendamment de l&rsquo;outillage utilis\u00e9.<\/p>\n\n\n\n<p>Ce double mapping (par obligation et par outil) fournit la base pour :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>la pr\u00e9paration d&rsquo;audit,<\/li>\n\n\n\n<li>la conformit\u00e9 continue,<\/li>\n\n\n\n<li>la gouvernance CI\/CD dans les environnements r\u00e9glement\u00e9s.<\/li>\n<\/ul>\n\n\n\n<p>Un environnement CI\/CD align\u00e9 DORA est un environnement o\u00f9 chaque outil tiers est gouvern\u00e9, chaque contr\u00f4le est appliqu\u00e9 techniquement et chaque contr\u00f4le produit des preuves automatiquement.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Contenu connexe recommand\u00e9<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-evidence-pack\/\" data-type=\"post\" data-id=\"366\">DORA Article 28 \u2014 Pack de preuves (Vues auditeur &amp; ing\u00e9nieur)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/dora-article-28-auditor-checklist-yes-no-evidence\/\" data-type=\"post\" data-id=\"353\">DORA Article 28 \u2014 Checklist auditeur (Oui \/ Non \/ Preuve)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-architecture\/\" data-type=\"post\" data-id=\"364\">Architecture DORA Article 28 : Contr\u00f4les de risques tiers dans les pipelines CI\/CD<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/continuous-compliance-via-ci-cd\/\" data-type=\"post\" data-id=\"987\">Conformit\u00e9 continue via les pipelines CI\/CD<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexte \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenu con\u00e7u pour les environnements r\u00e9glement\u00e9s : contr\u00f4les avant outils, enforcement par politiques dans le CI\/CD, et evidence-by-design pour l\u2019audit.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Focus sur la tra\u00e7abilit\u00e9, les approbations, la gouvernance des exceptions et la r\u00e9tention des preuves de bout en bout.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">Voir la m\u00e9thodologie sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Cet article relie les obligations de DORA Article 28 aux contr\u00f4les techniques concrets et aux preuves que les auditeurs s&rsquo;attendent \u00e0 v\u00e9rifier. Il fait le pont entre deux perspectives compl\u00e9mentaires : L&rsquo;objectif est d&rsquo;\u00e9liminer l&rsquo;ambigu\u00eft\u00e9 entre le texte r\u00e9glementaire, l&rsquo;outillage, la gouvernance et la conformit\u00e9 \u2014 et de fournir une r\u00e9f\u00e9rence unique pour la &#8230; <a title=\"DORA Article 28 \u2014 Mapping des contr\u00f4les et preuves\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-controls-evidence-mapping\/\" aria-label=\"En savoir plus sur DORA Article 28 \u2014 Mapping des contr\u00f4les et preuves\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126],"tags":[],"post_folder":[],"class_list":["post-1319","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1319"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1319\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1319"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}