Skip to content
AuditFront
CQ-1 Tech Due Diligence

Tech Due Diligence CQ-1: CI/CD Pipeline Maturity

What This Control Requires

The assessor evaluates the maturity, reliability, and security of the continuous integration and continuous deployment pipeline, including build automation, test automation, deployment frequency, and deployment safety mechanisms.

In Plain Language

A mature CI/CD pipeline is one of the strongest indicators of engineering discipline. It tells assessors whether the team can ship features quickly, recover from incidents fast, and maintain quality standards without relying on heroic manual effort. Companies with solid pipelines iterate faster and break less. Companies with manual or fragile deployment processes face higher operational risk, slower time to market, and more production incidents caused by deployment errors. Assessors look at how frequently code is integrated and deployed, whether builds are fully automated or need manual steps, what automated tests run in the pipeline (unit, integration, end-to-end, security), whether deployment to production is automated, and whether rollback mechanisms exist for failed deployments. The pipeline also reflects team confidence. Low deployment frequency often signals a fragile codebase or a process bottleneck - both of which are concerns for anyone evaluating the technology organisation.

How to Implement

Set up a fully automated CI/CD pipeline using a modern platform like GitHub Actions, GitLab CI, CircleCI, or Jenkins. Trigger it automatically on code pushes and pull requests, with no manual steps needed for standard deployments. Structure the pipeline in clear stages. First, run linting and static analysis to catch quality issues immediately. Second, run the full unit test suite. Third, build application artifacts (Docker images, compiled binaries, etc.). Fourth, run integration tests against a staging environment. Fifth, deploy to staging for acceptance testing. Sixth, deploy to production with automated health checks. Build in deployment safety mechanisms: blue-green deployments or rolling updates to minimise downtime, automated health checks that verify the new deployment works correctly, automatic rollback if health checks fail, feature flags for disabling new features without redeploying, and approval gates for production releases where appropriate. Track and optimise pipeline performance. Target under 10 minutes for CI and under 30 minutes for the full pipeline. Keep flaky test rate below 1%. Aim for daily or more frequent deployments for mature teams, deployment failure rate under 5%, and fast mean time to recovery after a failed deployment. Secure the pipeline itself. Use ephemeral build agents, manage secrets through a proper secrets management system (not plain text environment variables), sign build artifacts, enforce branch protection rules requiring CI passage before merging, and audit access to pipeline configuration. Version-control the pipeline configuration alongside application code and document the architecture including all stages, dependencies, and configuration decisions.

Evidence Your Auditor Will Request

  • CI/CD pipeline configuration files (version-controlled)
  • Pipeline execution history showing frequency and success rates
  • Deployment frequency metrics over the past 6 months
  • Rollback procedures and evidence of successful rollback exercises
  • Pipeline security measures (secrets management, artifact signing)

Common Mistakes

  • Manual deployment steps remain in an otherwise automated pipeline
  • Test suite is slow or flaky, causing developers to bypass CI checks
  • No automated rollback mechanism; failed deployments require manual intervention
  • Pipeline secrets stored in plain text in configuration files
  • Deployment frequency is very low (monthly or less), suggesting fear of shipping

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.25 Related
SOC 2 CC8.1 Related

Frequently Asked Questions

What deployment frequency is expected by tech DD assessors?
For a mature SaaS company, daily deployments or multiple deploys per day is considered healthy. Enterprise or regulated environments can justify weekly. Monthly or less frequent deployments raise a yellow flag - it usually points to either process bottlenecks or a fragile codebase, both of which assessors will want to understand.
Is trunk-based development required?
Not strictly, but teams using trunk-based development with short-lived feature branches typically show higher CI/CD maturity. Long-lived branches that diverge significantly from main create merge conflicts and integration risk, which is exactly the kind of friction that slows teams down and introduces bugs.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment