File storage of embedded software source code

IATF does not prescribe how to store source code files or any other type of information, and at this point, there are some semi-regulatory quasi-technical documents that can be considered:

• https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles/the-key-principles-of-vehicle-cyber-security-for-connected-and-automated-vehicles
• https://www.enisa.europa.eu/publications/cyber-security-and-resilience-of-smart-cars
• https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
• https://unece.org/fileadmin/DAM/trans/doc/2018/wp29grva/GRVA-01-17.pdf

Basically, they do not define as good practice using external web-based storage sites such as GIT, which provides you implement security measures to ensure only authorized personnel can have access to the code, like access control, cryptography, etc. Considering ISO 27001, the leading ISO standard for information security, you should perform a risk assessment to identify if these controls are enough to provide the security you want in this scenario (for example, for basic applications, such controls may be enough, but for more sensitive applications you should be considering not using this approach).  

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/