{"id":1424,"date":"2026-01-06T20:08:44","date_gmt":"2026-01-06T19:08:44","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/dora-article-21-auditor-checklist-ci-cd-ict-risk-management-2\/"},"modified":"2026-03-26T00:24:54","modified_gmt":"2026-03-25T23:24:54","slug":"dora-article-21-auditor-checklist-ci-cd-ict-risk-management","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/dora-article-21-auditor-checklist-ci-cd-ict-risk-management\/","title":{"rendered":"DORA Article 21 \u2014 Liste de contr\u00f4le de l\u2019auditeur (CI\/CD &#038; gestion des risques ICT)"},"content":{"rendered":"\n<p>This checklist is designed to assess compliance with DORA Article 21 requirements through CI\/CD pipeline controls and supporting ICT processes.<br>It supports internal audits, supervisory reviews, and regulatory assessments.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(1) \u2014 ICT Risk Management Framework<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>CI\/CD pipelines are included in the ICT risk management scope<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>ICT risks related to software delivery are formally identified<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Preventive controls are enforced via CI\/CD pipelines<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Detection mechanisms exist for pipeline-related incidents<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>CI\/CD supports response and recovery processes<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(a) \u2014 Access Control<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>CI\/CD access follows least privilege principles<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Pipeline identities are separated from human users<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>RBAC is enforced for pipeline configuration<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Le MFA est requis pour les administrateurs CI\/CD<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Privileged actions are restricted and monitored<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(b) \u2014 Segregation of Duties<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Developers cannot self-approve production changes<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Code review is mandatory before pipeline execution<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Build and deploy permissions are separated<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Overrides and exceptions are logged<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Segregation of duties is reviewed periodically<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(c) \u2014 Logging and Monitoring<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>All CI\/CD executions are logged<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Logs include approvals and security checks<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Logs are centrally collected<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Log retention meets regulatory requirements<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Alerts exist for abnormal pipeline behavior<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(d) \u2014 Change Management &amp; Integrity<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Tous les changements en production passent par les pipelines CI\/CD<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Artifact integrity is verified before deployment<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Provenance links source code to deployed artifacts<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Out-of-band deployments are prevented or logged<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Change approvals are auditable<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(e) \u2014 Resilience, Backup, and Recovery<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>CI\/CD pipelines are designed for resilience<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Build environments are isolated and hardened<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Pipeline configurations are backed up securely<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Rollback procedures are tested<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>CI\/CD components do not represent single points of failure<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Article 21(2)(f) \u2014 Continuous Improvement<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control Check<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Yes<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><\/tr><\/thead><tbody><tr><td>CI\/CD security controls are reviewed periodically<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Pipeline controls evolve with threat landscape<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Lessons learned are fed back into pipelines<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Compliance gaps trigger corrective actions<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Management oversight includes CI\/CD risk posture<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Auditor Guidance<\/h2>\n\n\n\n<p>When using this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Request <strong>technical evidence<\/strong>, not policies alone<\/li>\n\n\n\n<li>Verify that controls are <strong>automated and enforced<\/strong><\/li>\n\n\n\n<li>Confirm that evidence is <strong>current and reproducible<\/strong><\/li>\n\n\n\n<li>Assess consistency across teams and pipelines<\/li>\n\n\n\n<li>Pay special attention to exceptions and overrides<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Ressources connexes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/uncategorized\/dora-article-21-deep-dive-enforcing-ict-risk-controls-via-ci-cd\/\" data-type=\"post\" data-id=\"252\">DORA Article 21 Deep Dive<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/uncategorized\/dora-article-21-%e2%86%94-ci-cd-controls-mapping\/\" data-type=\"post\" data-id=\"255\">Article 21 \u2194 CI\/CD Controls Mapping<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-compliance-architecture-ci-cd-as-a-regulated-ict-system-2\/\" data-type=\"post\" data-id=\"274\">DORA Compliance Architecture<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/compliance\/\" data-type=\"page\" data-id=\"17\">Compliance<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexte \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenu con\u00e7u pour les environnements r\u00e9glement\u00e9s : contr\u00f4les avant outils, enforcement par politiques dans le CI\/CD, et evidence-by-design pour l\u2019audit.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Focus sur la tra\u00e7abilit\u00e9, les approbations, la gouvernance des exceptions et la r\u00e9tention des preuves de bout en bout.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">Voir la m\u00e9thodologie sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This checklist is designed to assess compliance with DORA Article 21 requirements through CI\/CD pipeline controls and supporting ICT processes.It supports internal audits, supervisory reviews, and regulatory assessments. Article 21(1) \u2014 ICT Risk Management Framework Control Check Yes No CI\/CD pipelines are included in the ICT risk management scope \u2b1c \u2b1c ICT risks related to &#8230; <a title=\"DORA Article 21 \u2014 Liste de contr\u00f4le de l\u2019auditeur (CI\/CD &#038; gestion des risques ICT)\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/dora-article-21-auditor-checklist-ci-cd-ict-risk-management\/\" aria-label=\"En savoir plus sur DORA Article 21 \u2014 Liste de contr\u00f4le de l\u2019auditeur (CI\/CD &#038; gestion des risques ICT)\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[123,122,126],"tags":[],"post_folder":[],"class_list":["post-1424","post","type-post","status-publish","format-standard","hentry","category-ci-cd-governance","category-audit-evidence","category-regulatory-frameworks"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1424"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1424\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1424"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}