The organization must store the source code in a central repository.
ISO 27001:2013. Annex A - 9.4.5: Restrict access to application source code.
ISO 27001:2013. Annex A - 14.2.2: Control system changes during the software development lifecycle using formal change tracking mechanisms.
OWASP-ASVS v4.0.1 V1.10 Malicious Software Architectural Requirements.(1.10.1): Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes.