Access to Source Code - ISO 27001 Annex A Control

ISO 27001 Annex A 8.4

Source code is intellectual property and a target - protect it like both.

ISO 27001 Annex A 8.4 - Access to Source Code

Source code is a sensitive asset for any organisation that develops software. Read access exposes intellectual property and reveals security details that attackers can exploit. Write access lets someone change what the application does - whether to fix a bug, add a feature, or insert a backdoor. The control asks for both to be managed deliberately.

Modern development typically uses a code repository (Git, for example) with branch protection rules, code review requirements and integration with build pipelines. The repository becomes the central control point: who can read, who can commit, who can merge to protected branches, and how changes flow through to production. Configuring these controls properly puts most of the policy into effect technically.

Beyond the repository, the control covers development tools, build systems, package managers and the libraries pulled in from external sources. Each is a route by which malicious code could enter the application. Managing access to the build pipeline and reviewing dependencies is part of the same protective scope.

The most common gap in source code access control is the leaver who keeps repository access for weeks after their last day. Repository access often sits in a different system from the main identity provider and gets missed in standard offboarding. The fix is to bring repository access under the central identity arrangements so that one offboarding action covers everything.

Practical Compliance Guidance

Source code access management is described in the IMS1 Manual in Section 8.2 alongside the Access Control Policy. Repository configuration and code review records can support this control.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Access Control Policy including the rules for code repository access and the development environment. Use as the source for source code governance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does this apply if we do not develop software?

If the organisation does not develop or modify code, the control may not apply. Where applicability is questioned, the position should be documented in the Statement of Applicability with the justification.

How do we manage external contributors?

Through defined access controls in the repository - typically separate roles for external contributors, requirements for code review before merging, and clear contractual arrangements covering confidentiality and intellectual property.

What about open source dependencies?

Open source dependencies are part of the application's attack surface and should be managed accordingly. Software composition analysis tools identify dependencies and their known vulnerabilities. The position on accepting dependencies should be reflected in the development lifecycle controls under A.8.25.

Further Resources