If you are a technology company, your source code is likely your most valuable asset. It is the “crown jewel” that drives your revenue, contains your intellectual property, and holds the secrets to how your business operates. Yet, in many organisations, access to this code is treated with surprisingly little care—often stored in repositories where every developer, contractor, and sometimes even the marketing intern has full “read/write” access.
This is a disaster waiting to happen. Uncontrolled source code access leads to data breaches, theft of IP, and the injection of malicious backdoors.
ISO 27001:2022 Annex A 8.4 is the specific control designed to stop this. It moves you from a “free-for-all” culture to a “need-to-know” culture. Let’s break down exactly how to implement this control effectively.
Table of contents
- What is Annex A 8.4?
- Step 1: Inventory Your Repositories
- Step 2: Implement Role-Based Access Control (RBAC)
- Step 3: Separate Read and Write Access
- Step 4: Protect the Master Branch
- Step 5: Secure the Environment (MFA)
- Step 6: Don’t Forget the “Tools”
- Documentation and Policy
- Common Pitfalls to Avoid
- Conclusion
What is Annex A 8.4?
In the 2022 update of the standard, Annex A 8.4 is titled Access to Source Code. It falls under the “Technological Controls” category, but it heavily relies on process and people.
The requirement is straightforward: read and write access to source code, development tools, and software libraries must be appropriately managed. This means you need strict rules about who can see your code, who can change it, and how those changes are approved.
Step 1: Inventory Your Repositories
You cannot secure what you don’t know you have. Before locking down permissions, you need a complete picture of your development landscape.
Create a central register of:
- Code Repositories: GitHub, GitLab, Bitbucket, Azure DevOps, or on-premise servers.
- Development Tools: The platforms used to build and deploy code (CI/CD pipelines like Jenkins or CircleCI).
- Libraries: Internal and third-party libraries you manage.
If you find “rogue” repositories on developers’ personal accounts, bring them into the corporate fold immediately.
Step 2: Implement Role-Based Access Control (RBAC)
Gone are the days when everyone gets “Admin” rights. You need to implement the Principle of Least Privilege.
Define clear roles for your development teams:
- Read-Only: For junior developers or auditors who need to see code but not change it.
- Contributor (Write): For developers working on specific projects. They should only have write access to the repositories relevant to their work.
- Maintainer/Admin: A very small group who can merge code to the “Master” or “Production” branch and manage repository settings.
Step 3: Separate Read and Write Access
Annex A 8.4 explicitly mentions managing read and write access separately. Why? Because the risk profile is different.
Read Access Risk: Theft of IP or discovery of vulnerabilities (like hardcoded passwords) that can be used to attack the live system.
Write Access Risk: Malicious code injection, sabotage, or accidental deletion of critical functions.
Ensure your version control system (like Git) is configured to enforce these distinctions. A developer might have Read access to the entire codebase for context, but Write access only to their specific microservice.
Step 4: Protect the Master Branch
Implementing Annex A 8.4 isn’t just about who can log in; it’s about who can deploy. You should implement Branch Protection Rules.
No single developer should be able to push code directly to the production branch. Instead, enforce a workflow where:
- Developers push to a “Feature” branch.
- They open a “Pull Request” (PR) to merge into Master.
- Another developer must review and approve the code (Peer Review).
- Only then can it be merged.
This ensures that every line of code changing your business logic has been seen by at least two pairs of eyes.
Step 5: Secure the Environment (MFA)
If a developer’s password is stolen, your source code is compromised. To satisfy Annex A 8.4 (and Annex A 8.5 Secure Authentication), you must enforce Multi-Factor Authentication (MFA) on all code repositories.
Additionally, prevent the use of passwords for command-line access. Force the use of SSH Keys with passphrases. This is a standard industry practice that significantly raises the security bar.
Step 6: Don’t Forget the “Tools”
The control mentions “development tools.” This is often overlooked. If an attacker can’t access your GitHub, they might try to attack your Jenkins or CI/CD server to inject malicious code during the build process.
Ensure that access to these build tools is restricted just as tightly as the code itself. Only authorised personnel should be able to modify the build pipeline configurations.
Documentation and Policy
An auditor will want to see the rules written down. You need a Secure Development Policy or a specific Source Code Access Procedure.
This document should outline:
- How access is requested and approved.
- The requirement for MFA.
- The process for revoking access when a developer leaves (Offboarding).
If you need help structuring this, Hightable.io offers comprehensive ISO 27001 toolkits that include these specific policy templates, saving you from writing them from scratch.
Common Pitfalls to Avoid
- Hardcoded Credentials: While technically part of Secure Coding (Annex A 8.28), having passwords in your source code makes “Read” access dangerous. Scan your code to remove them.
- The “Ghost” Users: Developers who left the company 6 months ago but still have access to GitHub. Conduct a quarterly User Access Review (Annex A 5.18).
- Public Repositories: Accidentally making a private repo “Public.” Check your settings regularly.
Conclusion
Implementing Annex A 8.4 is about professionalism. It ensures your source code is treated with the respect and security it deserves. By strictly controlling who can see and touch your code, you protect the very DNA of your business.
