Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GitLab Security Compliance Controls

On this page

GitLab Control Framework (GCF)

Adobe's open source compliance framework served as the starting point of GitLab's overarching information security framework. It has been adapted and expanded as needed and the result is the below list of controls grouped by families and sub-families. Click on the links below to access to following information for each control:

Control Ownership

For an overview of control ownership, please refer to the controls RACI chart.

Data Classification Policy

For GitLab's data classification policy, please refer to the data classification page.

Security Controls Feedback

If you have any feedback on any of the security controls or related documentation, please add it as a comment in this issue.

Security Control Changes

The GitLab compliance team is responsible for ensuring the consistency of the documentation of the security controls listed below. While normally we welcome any GitLab team-member to make edits to handbook pages, please be aware that even small changes to the wording of any of these controls impacts how they satisfy the requirements for the security frameworks they map to. Because of this, we ask any changes that need to be made to this page and the underlying guidance pages to start with a comment in this issue. The compliance team will then engage with you and make any appropriate changes to these handbook pages.

List of controls by family:

Asset Management

Backup Management

Business Continuity

Change Management

Configuration Management

Data Management

Identity and Access Management

Incident Response

Mobile Device Management

Network Operations

People Resources

Risk Management

Security Governance

Service Lifecycle

Site Operations

Systems Design Documentation

Systems Monitoring

Third Party Management

Training and Awareness

Vulnerability Management