ISO 27001 Certification — What CI/CD Evidence Auditors Require

ISO 27001 Certification Audit Process Overview

ISO 27001 certification involves a two-stage external audit conducted by an accredited certification body. Understanding this process is essential for compliance officers preparing CI/CD environments for assessment.

Stage 1 — Documentation Review

The Stage 1 audit is primarily a documentation review. The auditor assesses whether your ISMS documentation is complete and whether the organisation is ready for the Stage 2 assessment. For CI/CD environments, this means verifying that:

The ISMS scope explicitly includes CI/CD pipeline infrastructure and processes
The Statement of Applicability (SoA) addresses CI/CD-relevant Annex A controls
Risk assessments cover CI/CD-specific threat scenarios
Policies and procedures reference automated development and deployment processes
The internal audit programme has covered CI/CD security controls

Common Stage 1 outcome for CI/CD: Auditors frequently find that ISMS documentation was written before CI/CD adoption and has not been updated. This results in a recommendation to update documentation before proceeding to Stage 2.

Stage 2 — Evidence Audit

The Stage 2 audit is where auditors examine evidence of implementation and effectiveness. For CI/CD environments, this means demonstrating that documented controls are actually operating and producing verifiable results. Auditors will request specific artifacts, interview personnel responsible for pipeline security, and may observe pipeline operations.

The Stage 2 audit typically occurs four to eight weeks after Stage 1 to allow time for any documentation gaps to be addressed.

What Auditors Request During Stage 2 for CI/CD Environments

Auditors approach CI/CD evidence collection systematically across control domains. The following sections detail what is requested, what format is acceptable, and how long evidence must be retained.

Evidence Categories and CI/CD Artifacts

1. ISMS Documentation

The foundation of the audit. Auditors verify that the ISMS framework specifically addresses CI/CD.

Specific CI/CD artifacts: ISMS scope statement naming CI/CD systems; information security policy referencing automated pipelines; secure development policy; CI/CD-specific risk treatment plans
Acceptable formats: Approved documents in document management system with version control, review dates, and approval signatures
Retention requirements: Current version plus at least the previous version; review history for the full certification cycle (three years)

2. Risk Assessment Records

Auditors expect CI/CD-specific risks to be identified, assessed, and treated.

Specific CI/CD artifacts: Risk register entries for pipeline compromise, supply chain attacks, secret exposure, unauthorised deployment, and build environment tampering; risk treatment plans with control mappings; risk assessment methodology covering CI/CD threat scenarios
Acceptable formats: Risk register (spreadsheet, GRC platform export, or documented format); risk assessment reports with dates and assessor identification
Retention requirements: Current risk register plus historical versions showing risk evolution; minimum three years of risk assessment records

3. Access Control Evidence

One of the most heavily scrutinised areas for CI/CD.

Specific CI/CD artifacts: Pipeline platform user listings with role assignments; service account inventories; access review records showing periodic recertification; evidence of multi-factor authentication enforcement; privileged access logs for pipeline administration; records of access provisioning and de-provisioning
Acceptable formats: Platform-generated access reports; access review sign-off records; authentication configuration screenshots with timestamps; access request and approval workflows
Retention requirements: Current access configurations; access review records for at least 12 months; access change logs for the full certification cycle

4. Change Management Records

The pipeline’s core function — moving changes through controlled stages — must itself be evidenced.

Specific CI/CD artifacts: Pipeline execution histories showing the complete change lifecycle; approval records for production deployments; emergency change records with retrospective reviews; pipeline configuration change history (pipeline-as-code version control); release records with traceability to approved changes
Acceptable formats: Pipeline platform audit logs; version control system history; approval workflow records; change advisory board (CAB) meeting minutes where applicable
Retention requirements: Complete deployment history for at least 12 months; pipeline configuration history for the full certification cycle; emergency change records retained for review

5. Security Testing Results

Evidence that security testing is integrated, mandatory, and effective.

Specific CI/CD artifacts: Static analysis scan results per pipeline execution; dependency vulnerability scan results; dynamic security test results; penetration test reports for pipeline infrastructure; security test pass/fail rates over time; records of security test failures that blocked deployments
Acceptable formats: Security tool reports linked to specific pipeline executions; trend analysis dashboards with supporting data; penetration test reports from qualified testers
Retention requirements: Individual scan results retained for at least 12 months; trend data for the full certification cycle; penetration test reports retained until the next assessment

6. Incident Management Records

Evidence that CI/CD-related security incidents are detected, responded to, and learned from.

Specific CI/CD artifacts: Incident records for any pipeline security events; incident response procedure documentation covering CI/CD scenarios; post-incident review reports; evidence of incident drills or tabletop exercises involving pipeline compromise scenarios; corrective action records
Acceptable formats: Incident management system records; post-incident review documents; drill exercise reports; corrective action tracking records
Retention requirements: All incident records for the full certification cycle (three years); corrective actions tracked to closure

7. Supplier Management Records

Evidence that third-party CI/CD dependencies are managed and monitored.

Specific CI/CD artifacts: Supplier register including CI/CD platform providers, plugin vendors, and cloud service providers; third-party risk assessments for CI/CD service providers; contractual security requirements; service level monitoring records; dependency inventory (SBOM) for pipeline components
Acceptable formats: Supplier register entries; risk assessment reports; contract extracts showing security clauses; service review meeting minutes; SBOM outputs in standard formats
Retention requirements: Current supplier register and contracts; risk assessments updated at least annually; service review records for 12 months minimum

Evidence Summary Table

Evidence Type	Source System	Format	Retention
ISMS scope and policies	Document management system	Approved documents with version control	Current + previous versions; 3-year review history
Risk register (CI/CD entries)	GRC platform or risk register	Structured risk entries with assessment dates	Current + historical versions; 3 years
Pipeline user access listings	CI/CD platform admin console	User/role export with timestamps	Current config + 12 months change logs
Access review sign-offs	Access governance tool or manual records	Review records with reviewer identity and date	12 months minimum
Pipeline execution audit trails	CI/CD platform logs	Immutable log entries per execution	12 months minimum
Deployment approval records	CI/CD platform or workflow tool	Approval records with approver identity and timestamp	12 months minimum
Pipeline configuration history	Version control system	Commit history for pipeline-as-code files	Full certification cycle (3 years)
Security scan results	Security testing tools integrated in pipeline	Tool reports linked to pipeline execution IDs	12 months individual; 3 years trend data
Penetration test reports	Qualified testing provider	Formal report with scope, findings, remediation	Until next assessment
Incident records	Incident management system	Incident tickets with timeline and resolution	3 years
Supplier risk assessments	GRC platform or manual records	Assessment reports with risk ratings	Updated annually; 3 years historical
SBOM / dependency inventory	Pipeline dependency scanning tool	Standard SBOM format (CycloneDX, SPDX)	Per release; 12 months minimum

Common Reasons for Non-Conformities in CI/CD Environments

The following non-conformities are most frequently raised during certification audits of organisations with CI/CD pipelines:

ISMS scope gap: CI/CD infrastructure not explicitly included in the ISMS scope, resulting in controls not being applied
Stale documentation: Policies and procedures written before CI/CD adoption and never updated to reflect automated processes
Incomplete access reviews: Pipeline service accounts and automation credentials excluded from periodic access reviews
Missing audit trails: Pipeline logs are mutable, incomplete, or not retained for the required period
Bypassable security gates: Security testing stages in the pipeline can be skipped without formal approval and documentation
No supplier risk assessment for CI/CD tools: Third-party CI/CD platforms and plugins not included in the supplier risk register
Emergency changes without retrospective review: Hotfixes deployed outside the standard pipeline without documented justification and post-deployment review
Risk assessment gaps: CI/CD-specific threat scenarios (supply chain attack, secret exposure, pipeline compromise) not assessed in the risk register

Surveillance Audit Expectations

After initial certification, surveillance audits are conducted annually (typically covering one-third of controls each year). For CI/CD environments, surveillance auditors will focus on:

Continued effectiveness: Are controls that were conformant at certification still operating effectively?
Management review coverage: Has management reviewed CI/CD security performance?
Corrective actions: Have any non-conformities from the previous audit been addressed and verified?
Changes since last audit: Have there been significant changes to the CI/CD environment, and were these subject to risk assessment?
Internal audit findings: Did internal audits cover CI/CD controls, and were findings addressed?
Continual improvement: Is there evidence that CI/CD security controls have been improved since the last audit?

Preparing for Recertification

The three-year recertification audit is more comprehensive than surveillance audits. It reassesses the entire ISMS. For CI/CD environments, preparation should include:

Complete review and update of all CI/CD-related policies and procedures
Full cycle of access reviews for all pipeline accounts and credentials
Updated risk assessment covering any new CI/CD technologies or processes adopted during the certification cycle
Evidence of three years of continuous control operation (audit trails, review records, incident records)
Management review records specifically addressing CI/CD security performance trends
Internal audit reports covering all CI/CD-relevant Annex A controls
Evidence of continual improvement initiatives for pipeline security