ICT third-party risk covers the identification, assessment, and control of external technology providers involved in software delivery and operations. In regulated environments, this includes managing supplier criticality, contractual obligations, monitoring, audit rights, and exit strategies as required by regulations such as DORA Article 28 and NIS2.
Third-Party ICT Risk Controls for Regulated CI/CD Pipelines Why this checklist exists In regulated environments, suppliers are not “external.” They are part of your delivery system. When third-party services support your SDLC (Git hosting, CI/CD SaaS, artifact registries, cloud runtime, security scanners), auditors expect you to demonstrate: This checklist is designed to be used by … Read more
DORA Article 28 requires financial entities to manage ICT third-party risk in a way that is verifiable, enforceable, and auditable. However, auditors and engineers do not read architectures the same way. This section presents the same CI/CD architecture, viewed through two different lenses: Understanding both perspectives is essential to avoid compliance gaps and audit friction. … Read more
