psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/02-standards/ci-cd-security-standard.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.9 KiB
Raw Blame History

Title: CI/CD Security Standard Document ID: [STD-CICD-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

CI/CD Security Standard

Purpose

This standard defines the minimum security requirements for continuous integration, continuous delivery, and automated build and deployment workflows.

Scope

This standard applies to source control integrations, build systems, test pipelines, artefact repositories, deployment automation, and related engineering workflow components within the ISMS scope.

Mandatory Requirements

CI/CD systems must be access-controlled and restricted to authorised users, services, and automation identities.

Changes to pipeline definitions, build configurations, deployment workflows, and release automation must be subject to review and approval.

Build and deployment workflows must provide traceability between approved source changes, generated artefacts, and deployed outputs.

Secrets used by CI/CD systems must be managed according to the approved secrets management approach and must not be exposed through pipeline logs or insecure configuration.

Production deployment paths must include appropriate separation of duties, approval, or equivalent compensating control based on risk.

Build environments and runners must be managed and hardened according to approved configuration and access requirements.

Pipeline activity, administrative changes, and failed or unusual security-relevant events should be logged and reviewed where appropriate.

Artefacts promoted to production should originate from approved and traceable build processes.

Implementation Guidance

BlackDice should design CI/CD controls to support rapid engineering while preserving change integrity and production safety.

The standard should be applied consistently to application code, infrastructure as code, policy-as-code, and deployment configuration where these contribute to service delivery.

Where third-party hosted build or deployment services are used, supplier and shared-responsibility considerations should be documented.

Higher-risk deployment paths, including production and security-sensitive platform changes, should receive stronger approval and monitoring controls.

Roles and Responsibilities

  • [Role] must define CI/CD security expectations.
  • Engineering and platform owners must implement compliant pipeline controls.
  • Approvers and reviewers must assess high-risk changes before production deployment.

Exceptions

Exceptions must be documented, justified, risk-assessed, approved, and reviewed.

Related Documents

  • Secure Development Policy
  • Change Management Policy
  • Secrets Management Standard
  • Secure Code Review Standard

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink