How do you implement A.8.4 in Microsoft 365?

A.8.4 Access to Source Code can be implemented in Microsoft 365 using Azure DevOps (dev.azure.com) > Project Settings > Repositories > Security; Azure DevOps > Repos > Branches > Branch policies. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.8.4?

Auditors verify that A.8.4 Access to Source Code is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.8.4: Access to Source Code — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.8.4 requires that read and write access to source code, development tools, and software libraries be strictly managed. Source code is often an organization’s most valuable intellectual property and a critical security asset. Uncontrolled access increases the risk of code theft (loss of IP), accidental corruption, or the malicious introduction of vulnerabilities (such as backdoors or logic bombs).

This control aims to prevent unauthorized modification and maintain the integrity of the software supply chain by ensuring only authorized personnel can access or alter the codebase.

How to implement in Microsoft 365

Implementing this control involves enforcing the Principle of Least Privilege within Version Control Systems (VCS) such as Azure Repos or GitHub. Host all source code in a managed, authenticated repository system and assign permissions via security groups (e.g., AAD/Entra Groups) rather than individual users. Strictly distinguish between ‘Read-Only’ access for auditors or junior staff and ‘Write/Contribute’ access for developers.

Implement branch protection policies on critical branches (e.g., main or release) to prohibit direct commits and require Pull Requests (PRs) with mandatory code reviews. Furthermore, enforce Multi-Factor Authentication (MFA) and Conditional Access policies for all users accessing the code repositories to prevent credential theft.

What an auditor looks for

The auditor will verify that access is restricted to only those who strictly need it for their role. They will review the “Security” or “Permissions” settings in Azure Repos (or equivalent) to confirm that users are assigned appropriate roles like Reader, Contributor, or Project Administrator based on their job function. They will look for the exclusive use of Security Groups rather than direct user assignment to simplify management.

They will specifically sample a recently terminated employee to ensure their access to source code was revoked immediately upon departure. Finally, they will examine branch policies to verify that “Force Push” is disabled on the main branch and that peer reviews are technically enforced before code can be merged.