Gitlab hero border pattern left svg Gitlab hero border pattern right svg

CM.1.02 - Change Approval Control Guidance

CM.1.02 - Change Approval

Control Statement

Prior to introducing changes into the production environment, approval from authorized personnel is required based on the following:

Context

This control aims to ensure important information about the change, its impacts, and ability to revert the change are documented and a part of the approval process. This allows everyone involved to have the information they need to make informed decisions about and execute on a change effectively. It also sets out to ensure all changes which could impact GitLab customers, GitLab team-members, and partners are approved by the appropriate person(s). This control can be tested by reviewing the criticality 1 and 2 change issues in the production issue tracker. This testing is sufficient because the issue template contains a row naming the change reviewer(s) and a review of the issue activity can show whether the change reviewer(s) did approve of the change.

Scope

This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.

Ownership

Control Owner: Infrastructure

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Change Approval control issue.

Examples of evidence an auditor might request to satisfy this control:

Policy Reference

Framework Mapping