Gitlab hero border pattern left svg Gitlab hero border pattern right svg

CM.3.01 - Third-Party Change Management Workflow Control Guidance

CM.3.01 - Third-Party Change Management Workflow

Control Statement

Third-party vendor and service change scope, change type, and roles and responsibilities are pre-established and documented in a change control workflow; notification and approval requirements are also pre-established based on risk associated with change scope and type.


Having a structured workflow and guidance on change management helps reduce the risk of GitLab experiencing platform or application instability by increasing the predictability and reproducibility of the change management process.


This control applies to third-party systems that support the business of



For third-party change management, there are two types of changes: automated updates from the vendor and customized changes performed by either GitLab or the vendor. Automated updates are categorized under the SaaS's patch management and we can rely on the SOC report and release notes from the vendor. This control is for customized changes.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Change Management Workflow control issue.

Examples of evidence an auditor might request to satisfy this control:

Policy Reference

Framework Mapping