Access management for source code and tools
Control who can read and change source code to avoid risks and maintain security.
Plain language
This control is about managing who can see and change the computer code that runs your business. It matters because if the wrong person can get in and change your code, they could break your systems or steal your ideas, causing chaos and potentially costing you money.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Why it matters
If access to source code, libraries and dev tools is not controlled, unauthorised changes may be introduced, causing backdoors, outages, IP theft or breaches.
Operational notes
Limit repo/tool access via RBAC and least privilege; require MFA and approvals for write access; review access and audit logs regularly; enforce code review and signed commits.
Implementation tips
- IT manager should ensure that access to source code is limited. Set up a system where only certain people can change the code, like a source code management tool. Use passwords or access cards to make sure only these people can access important files.
- HR should work with IT to make sure only the right roles have access to development tools and code. This means creating clear job descriptions and access levels so everyone knows who should have access to what.
- Security officer should implement policies for code changes. This involves setting rules about how code can be updated, requiring approval before changes are made. Develop a change control process to manage this, incorporating an approval system.
- IT team should maintain an audit log of all code access and changes. This means setting up a logging tool to automatically record who accessed what and when. Regularly review these logs to spot any suspicious activity.
- Compliance officer should regularly review access rights. Conduct checks to ensure that only the necessary personnel can access the code and tools. Adjust access rights promptly if someone leaves the company or changes roles.
Audit / evidence tips
-
Askthe list of individuals who have access to the source code
Goodroles matching access needs with clear documentation for why access is given
-
Askto see the policy on modifying source code
-
Asklogs of source code access over the past month
-
Askabout the access review process for development tools and libraries
-
Askdocumentation on how external code use is managed, such as open-source libraries
Cross-framework mappings
How Annex A 8.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.1 | Annex A 8.4 requires appropriate management of read and write access to source code, development tools and software libraries | |
| E8-RA-ML3.3 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1422 | ISM-1422 mandates preventing unauthorised access to the software source to protect its integrity and confidentiality | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1746 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
| handshake Supports (10) expand_less | ||
| ISM-0405 | Annex A 8.4 requires controlled assignment of read/write access to source code and development tooling to reduce unauthorised changes and... | |
| ISM-0414 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
| ISM-0415 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
| ISM-0430 | Annex A 8.4 requires controlled management of access to source code and development tooling, including removing access when no longer needed | |
| ISM-1419 | ISM-1419 requires software changes to occur only in development environments, reducing the likelihood of unauthorised or uncontrolled pro... | |
| ISM-1780 | ISM-1780 requires organisations to use SecDevOps practices for secure software development, which relies on protecting the integrity of c... | |
| ISM-1845 | Annex A 8.4 requires that access to source code and development tools is appropriately managed, including timely removal of access when n... | |
| ISM-2024 | Annex A 8.4 requires organisations to manage access to source code, development tools and software libraries, including controlling where... | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| ISM-2048 | Annex A 8.4 requires read and write access to source code, development tools and software libraries to be appropriately managed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.