This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 8.4 Access to source code.
ISO 27001: 2022 Control Description
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Purpose
To prevent the introduction of unauthorized functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.
Guidance on implementation
Access to source code and associated items (such as designs, specifications, verification plans and validation plans) and development tools (e.g. compilers, builders, integration tools, test platforms and environments) should be strictly controlled.
For source code, this can be achieved by controlling central storage of such code, preferably in source code management system.
Read access and write access to source code can differ based on the personnel’s role. For example, read access to source code can be broadly provided inside the organisation, but write access to source code is only made available to privileged personnel or designated owners.
Where code components are used by several developers within an organisation, read access to a centralised code repository should be implemented. Furthermore, if open-source code or third-party code components are used inside an organisation, read access to such external code repositories can be broadly provided. However, write access should still be restricted.
The following guidelines should be considered to control access to program source libraries in order to reduce the potential for corruption of computer programs:
a) managing the access to program source code and the program source libraries according to established procedures;
b) granting read and write access to source code based on business needs and managed to address risks of alteration or misuse and according to established procedures;
c) updating of source code and associated items and granting of access to source code in accordance with change control procedures and only performing it after appropriate authorization has been received;
d) not granting developers direct access to the source code repository, but through developer tools that control activities and authorizations on the source code;
e) holding program listings in a secure environment, where read and write access should be appropriately managed and assigned;
f) maintaining an audit log of all accesses and of all changes to source code.
If the program source code is intended to be published, additional controls to provide assurance on its integrity (e.g. digital signature) should be considered.
Other information
If access to source code is not properly controlled, source code can be modified or some data in the development environment (e.g. copies of production data, configuration details) can be retrieved by unauthorised persons.