{"id":1330,"date":"2026-01-21T20:01:23","date_gmt":"2026-01-21T19:01:23","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/audit-day-qa-cheat-sheet-2\/"},"modified":"2026-03-26T00:17:02","modified_gmt":"2026-03-25T23:17:02","slug":"audit-day-qa-cheat-sheet","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/audit-day-qa-cheat-sheet\/","title":{"rendered":"Aide-m\u00e9moire Q&amp;R du jour d&rsquo;audit"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\"><strong>Pipelines CI\/CD en environnements r\u00e9glement\u00e9s<\/strong><\/h3>\n\n\n\n<p>Utilisez cet aide-m\u00e9moire le jour de l&rsquo;audit pour r\u00e9pondre aux questions CI\/CD courantes de mani\u00e8re claire, coh\u00e9rente et avec des preuves.<\/p>\n\n\n\n<p>R\u00e9ponses courtes. Pas de sp\u00e9culation. Toujours accompagner d&rsquo;une preuve.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. P\u00e9rim\u00e8tre et gouvernance<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Les pipelines CI\/CD sont-ils dans le p\u00e9rim\u00e8tre de conformit\u00e9 ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Les pipelines CI\/CD sont trait\u00e9s comme des syst\u00e8mes ICT r\u00e9glement\u00e9s car ils impactent directement les syst\u00e8mes de production.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves \u00e0 montrer<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inventaire des syst\u00e8mes ICT<\/li>\n\n\n\n<li>\u00c9valuation de risques incluant le CI\/CD<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Qui est responsable de la s\u00e9curit\u00e9 et de la gouvernance CI\/CD ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>La gouvernance CI\/CD est conjointement d\u00e9tenue par le Platform Engineering et la S\u00e9curit\u00e9, avec une responsabilit\u00e9 d\u00e9finie.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Document RACI ou de propri\u00e9t\u00e9<\/li>\n\n\n\n<li>R\u00e9f\u00e9rence \u00e0 la politique de gouvernance<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Contr\u00f4le d&rsquo;acc\u00e8s<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Qui peut modifier les pipelines CI\/CD ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Seuls les administrateurs autoris\u00e9s avec RBAC et MFA peuvent modifier les configurations de pipeline.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configuration RBAC CI\/CD<\/li>\n\n\n\n<li>Politiques IAM<\/li>\n\n\n\n<li>\u00c9cran\/logs d&rsquo;application MFA<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Les pipelines utilisent-ils des credentials partag\u00e9s ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Non. Chaque pipeline utilise des comptes de service d\u00e9di\u00e9s avec le moindre privil\u00e8ge.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Liste des comptes de service<\/li>\n\n\n\n<li>P\u00e9rim\u00e8tres de permissions<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. S\u00e9paration des fonctions<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Les d\u00e9veloppeurs peuvent-ils d\u00e9ployer directement en production ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Non. Les d\u00e9ploiements en production n\u00e9cessitent une approbation ind\u00e9pendante appliqu\u00e9e par le pipeline.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>R\u00e8gles d&rsquo;approbation<\/li>\n\n\n\n<li>D\u00e9finition du workflow de d\u00e9ploiement<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Quelqu&rsquo;un peut-il approuver ses propres changements ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Non. L&rsquo;auto-approbation est techniquement emp\u00each\u00e9e.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>R\u00e8gles de pull request<\/li>\n\n\n\n<li>Exemple d&rsquo;historique d&rsquo;approbation<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Gestion des changements<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Comment vous assurez-vous que tous les changements de production passent par le CI\/CD ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>L&rsquo;acc\u00e8s direct \u00e0 la production est restreint. Tous les d\u00e9ploiements sont ex\u00e9cut\u00e9s via les pipelines CI\/CD.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Logs de d\u00e9ploiement<\/li>\n\n\n\n<li>Restrictions d&rsquo;acc\u00e8s \u00e0 l&rsquo;infrastructure<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Pouvez-vous tracer une release de production jusqu&rsquo;au code source ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Nous maintenons une tra\u00e7abilit\u00e9 compl\u00e8te du commit au d\u00e9ploiement.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ID de commit<\/li>\n\n\n\n<li>ID d&rsquo;ex\u00e9cution de pipeline<\/li>\n\n\n\n<li>M\u00e9tadonn\u00e9es d&rsquo;artefact<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Contr\u00f4les de s\u00e9curit\u00e9<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Les scans de s\u00e9curit\u00e9 sont-ils obligatoires ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Les scans de s\u00e9curit\u00e9 sont appliqu\u00e9s et bloquent le d\u00e9ploiement en cas d&rsquo;\u00e9chec.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>D\u00e9finition du pipeline<\/li>\n\n\n\n<li>Exemple de build \u00e9chou\u00e9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Comment les exceptions de s\u00e9curit\u00e9 sont-elles g\u00e9r\u00e9es ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Les exceptions n\u00e9cessitent une approbation formelle et sont journalis\u00e9es.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enregistrements d&rsquo;exceptions<\/li>\n\n\n\n<li>Logs d&rsquo;approbation<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. Journalisation et surveillance<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Les activit\u00e9s CI\/CD sont-elles journalis\u00e9es ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Toutes les ex\u00e9cutions de pipeline et les modifications sont journalis\u00e9es de mani\u00e8re centralis\u00e9e.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tableau de bord de logs central<\/li>\n\n\n\n<li>Exemples de logs de pipeline<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Combien de temps les logs CI\/CD sont-ils conserv\u00e9s ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Les logs sont conserv\u00e9s conform\u00e9ment aux exigences r\u00e9glementaires.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Politique de r\u00e9tention<\/li>\n\n\n\n<li>Configuration SIEM<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. Incidents et r\u00e9silience<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Que se passe-t-il si un credential CI\/CD est compromis ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Les credentials peuvent \u00eatre r\u00e9voqu\u00e9s imm\u00e9diatement et les pipelines d\u00e9sactiv\u00e9s.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processus de r\u00e9vocation IAM<\/li>\n\n\n\n<li>Extrait du playbook d&rsquo;incidents<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Testez-vous les proc\u00e9dures de rollback ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Les proc\u00e9dures de rollback et de reprise sont test\u00e9es r\u00e9guli\u00e8rement.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enregistrements de tests<\/li>\n\n\n\n<li>Historique de d\u00e9ploiement<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>8. Qualit\u00e9 des preuves<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Comment fournissez-vous les preuves d&rsquo;audit ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Les preuves sont g\u00e9n\u00e9r\u00e9es par le syst\u00e8me, horodat\u00e9es et reproductibles.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Logs<\/li>\n\n\n\n<li>M\u00e9tadonn\u00e9es de pipeline<\/li>\n\n\n\n<li>Exemples de piste d&rsquo;audit<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : Pouvez-vous reproduire les preuves \u00e0 la demande ?<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Oui. Les preuves peuvent \u00eatre r\u00e9cup\u00e9r\u00e9es directement depuis les syst\u00e8mes CI\/CD et de journalisation.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Preuves<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Requ\u00eate en direct ou rapport pr\u00e9par\u00e9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>9. Gestion des questions difficiles<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : \u00ab Pourquoi ne faites-vous pas X ? \u00bb<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse s\u00fbre<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Ce contr\u00f4le est adress\u00e9 par des m\u00e9canismes alternatifs align\u00e9s avec notre \u00e9valuation des risques.<\/p>\n<\/blockquote>\n\n\n\n<p>Ensuite, montrez <strong>ce que vous faites<\/strong>, pas ce que vous ne faites pas.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Q : \u00ab N&rsquo;est-ce pas non conforme ? \u00bb<\/strong><\/h3>\n\n\n\n<p><strong>R\u00e9ponse s\u00fbre<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Selon notre interpr\u00e9tation et les contr\u00f4les en place, cette exigence est adress\u00e9e. Nous sommes ouverts \u00e0 des clarifications suppl\u00e9mentaires.<\/p>\n<\/blockquote>\n\n\n\n<p>Ne jamais argumenter \u00e9motionnellement sur l&rsquo;interpr\u00e9tation de la r\u00e9glementation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>10. R\u00e8gles d&rsquo;or finales (\u00e0 imprimer)<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ne pas sp\u00e9culer<\/li>\n\n\n\n<li>Ne pas sur-expliquer<\/li>\n\n\n\n<li>Montrer la preuve, puis s&rsquo;arr\u00eater<\/li>\n\n\n\n<li>Une seule voix \u00e0 la fois<\/li>\n\n\n\n<li>Le CI\/CD est un syst\u00e8me r\u00e9glement\u00e9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Ressources associ\u00e9es<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/audit-day-playbook-how-to-handle-ci-cd-audits-in-regulated-environments\/\" data-type=\"post\" data-id=\"268\">Playbook du jour d&rsquo;audit<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/before-the-auditor-arrives-ci-cd-audit-readiness-checklist\/\" data-type=\"post\" data-id=\"266\">Avant l&rsquo;arriv\u00e9e de l&rsquo;auditeur<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/ci-cd-audit-red-flags-what-immediately-raises-auditor-concerns\/\" data-type=\"post\" data-id=\"264\">Signaux d&rsquo;alerte en audit CI\/CD<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/how-auditors-actually-review-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"261\">Comment les auditeurs examinent r\u00e9ellement le CI\/CD<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/dora-article-21-auditor-checklist-ci-cd-ict-risk-management\/\" data-type=\"post\" data-id=\"257\">DORA Article 21 Auditor Checklist<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>NOTES D&rsquo;UTILISATION (important)<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gardez ce document ouvert pendant les appels d&rsquo;audit<\/li>\n\n\n\n<li>Partagez-le uniquement avec l&rsquo;\u00e9quipe en contact avec les auditeurs<\/li>\n\n\n\n<li>N&rsquo;improvisez <strong>pas<\/strong> en dehors de ce p\u00e9rim\u00e8tre<\/li>\n\n\n\n<li>Mettez-le \u00e0 jour apr\u00e8s chaque audit<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--standard\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">\u00c0 propos de l\u2019auteur<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Architecte senior DevSecOps et s\u00e9curit\u00e9, avec plus de 15 ans d\u2019exp\u00e9rience en ing\u00e9nierie logicielle s\u00e9curis\u00e9e, s\u00e9curit\u00e9 CI\/CD et environnements d\u2019entreprise r\u00e9glement\u00e9s.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Certifi\u00e9 CSSLP et EC-Council Certified DevSecOps Engineer, avec une exp\u00e9rience concr\u00e8te dans la conception d\u2019architectures CI\/CD s\u00e9curis\u00e9es, auditables et conformes.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">En savoir plus sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pipelines CI\/CD en environnements r\u00e9glement\u00e9s Utilisez cet aide-m\u00e9moire le jour de l&rsquo;audit pour r\u00e9pondre aux questions CI\/CD courantes de mani\u00e8re claire, coh\u00e9rente et avec des preuves. R\u00e9ponses courtes. Pas de sp\u00e9culation. Toujours accompagner d&rsquo;une preuve. 1. P\u00e9rim\u00e8tre et gouvernance Q : Les pipelines CI\/CD sont-ils dans le p\u00e9rim\u00e8tre de conformit\u00e9 ? R\u00e9ponse Oui. Les pipelines &#8230; <a title=\"Aide-m\u00e9moire Q&amp;R du jour d&rsquo;audit\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/audit-day-qa-cheat-sheet\/\" aria-label=\"En savoir plus sur Aide-m\u00e9moire Q&amp;R du jour d&rsquo;audit\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126,122,123],"tags":[],"post_folder":[],"class_list":["post-1330","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks","category-audit-evidence","category-ci-cd-governance"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1330"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1330\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1330"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}