ISO 27001 Annex A 8.4 is the rule about access to source code, which means a company must have a system to control access to source code, development tools and software libraries.
Table of contents
What is ISO 27001 Annex A 8.4?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Access To Source Code”.
What is the ISO 27001 Annex A 8.4 control objective?
The formal definition and control objective in the standard is: “Read and write access to source code, development tools and software libraries should be appropriately managed.“
What is the purpose of ISO 27001 Annex A 8.4?
The purpose of ISO 27001 Annex A 8.4 is “To prevent the introduction of unauthorised functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.“
Is ISO 27001 Annex A 8.4 Mandatory?
ISO 27001 Annex A control 8.4 (Access To Source Code in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.4 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Applicability
If you have source code, you need to keep people from getting to it. If you do not have source code, this rule does not apply to you. You can change your statement of applicability to remove this rule. You can also add it to your risk list and accept the risk.
Documentation
If you do have source code, you likely know what to do. This rule is not new or complex. The rule just asks you to show the documents and steps for what you already do.
Process
You should manage who can see and change your source code, program code, libraries, and related software. The rule wants you to stop people from changing things without permission. This keeps security problems from starting.
Risk Assessment
You should check your risks. Learn what you have and what needs protection. Then, put the right safety steps in place.
Logging and Monitoring
It is smart to use logging and monitoring. This gives you records of who did what.
Digital Signatures
You might need digital signatures. They help prove the code has not been changed. Some customers may also ask you to use escrow services for your code.
