Prior to introducing changes into the production environment, approval from authorized personnel is required based on the following:
This control aims to ensure important information about the change, its impacts, and ability to revert the change are documented and a part of the approval process. This allows everyone involved to have the information they need to make informed decisions about and execute on a change effectively. It also sets out to ensure all changes which could impact GitLab customers, GitLab team-members, and partners are approved by the appropriate person(s). This control can be tested by reviewing the criticality 1 and 2 change issues in the
production issue tracker. This testing is sufficient because the issue template contains a row naming the change reviewer(s) and a review of the issue activity can show whether the change reviewer(s) did approve of the change.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Change Approval control issue.
Examples of evidence an auditor might request to satisfy this control: