PDP-8 Change Management Approvals

What is this control about?

Change Management Approvals – Any changes deployed must have been approved. Approvals can happen at many different stages and may involve many different stakeholders. This is at the discretion of each company.

However, it is crucial that before a change is deployed to production it has received an independent approval from a stakeholder other than the change coder.  Approval evidence must be explicitly documented.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Define and document a Change Management approval process in the change management policy that considers the following components:

• Enforcing an approval within the tracking system or source code tool
• For each change, document the approval explicitly, ensure that the approver is separate from the development personnel who worked on the code (segregation of duties is important)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the system configurations that shows that code review or review is required in the workflow
• Provide a most recent example of a change ticket showing explicit approval

Evidence example

From the suggested action above, an example is provided below.

1.Provide the system configurations that shows that code review or review is required in the workflow.

Example demonstrates the branch rules for a PR (pull request). The PR requires at least one review. If you have such a configuration, provide it.

Google search

Another example of a workflow

2. Provide a  recent example of a change ticket showing explicit approval.

TrustCloud Example shows the “approval” for one ticket. Upload the full ticket, and ensure it showcases the approval.

Another example if approval is captured within a ticket: