The correct and verified answer is B. Technological, because the identified risk—unrestricted write access to production source code and development tools—must be managed through technical enforcement mechanisms, not solely by people or organizational measures.
The scenario describes a failure to restrict access to critical production systems, allowing a junior developer to modify source code without authorization. This is a classic access control and privilege management issue that requires technological controls such as role-based access control (RBAC), privileged access management, repository permissions, and segregation of environments.
ISO/IEC 27001:2022 Annex A categorizes controls into organizational, people, physical, and technological groups. The controls relevant to this scenario fall squarely under technological controls, including:
A.8.2 – Privileged access rightsRequires restriction and management of elevated access to prevent unauthorized or excessive privileges.
A.8.3 – Information access restrictionEnsures access to information and systems is limited in accordance with business requirements.
A.8.4 – Access to source codeExplicitly requires that access to source code is restricted, controlled, and monitored.
A.8.32 – Change managementEnsures that changes to production systems are authorized, tested, and approved.
While people controls (such as training or awareness) and organizational controls (such as policies) are supportive, they are insufficient on their own. Without technical enforcement, policies cannot prevent unauthorized access in practice.
ISO/IEC 27001:2022 emphasizes defense-in-depth, where technological controls enforce rules automatically, reducing reliance on human behavior alone.
