This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
The purpose of the Change Management Policy is to ensure that a standard set of minimum requirements are established for changes that are made to production systems and supporting infrastructure across the organization.
These requirements are meant to provide a level of consistency across how changes are managed from the initial change request through to production deployment. These requirements have been established based on the GitLab Control Framework which is based on NIST CSF, ISO 27001 and SOC 2 standards.
Changes, in the context of this policy, are defined as modifications to the production environment, to include supporting infrastructure, and key corporate systems. The policy applies to changes that are made to systems assigned a Critical System Tier of
Tier 1 Mission Critical,
Tier 2 Business Critical,
Tier 3 Business Operational, and
Tier 4 Administrative.
Modifications include, but are not limited to:
Note: While Tier 4 Administrative systems are not subject to the scope of this policy, team members are encouraged to proactively adopt the requirements established by this policy across all systems, especially if there is a good probability that a system may move from a
Tier 4 Administrative system to a higher system tier handbook page.
In conjunction with this policy, supplemental change management procedures are formally documented to describe the standard operating procedure/workflow for executing changes in accordance with this policy and the Controlled Document Procedure. The change management procedures used at GitLab today have been listed below for reference, including a brief statement on the applicable scope for the change procedure. Additional information on scope is provided directly on each respective procedure's handbook page:
GitLab.com SaaS product
do notdirectly support the
GitLab.com SaaS product
|Security Compliance Team||Responsible for the continuous monitoring of change management procedures across the relevant systems through security control testing to ascertain adherence to this policy|
|Technical System Owners
Business System Owners
|Responsible for ensuring the minimum requirements established by this policy are implemented in procedure and executed consistently|
|Team Members||Responsible for following change management procedures in a way that aligns with this policy|
|Control Owners||Responsible for defining and implementing change management procedures that meet or exceed the minimum requirements that have been established by this policy|
The minimum change management requirements described below have been identified based on the Change Management Control Family (CHG) established by the GitLab Control Framework (GCF). These controls are subject to internal and external audits and therefore provide the minimum requirements for change management across the organization.
Supplemental change management procedures must incorporate the requirements called out in the sections below:
When in doubt, consult with Security Assurance
Team members who have questions about the minimum requirements in this policy or the appropriateness of change procedures that they maintain should consult with the Security Assurance Team as needed.
Exceptions to this policy will be tracked as per the Information Security Policy Exception Management Process. Procedure exceptions will be tracked by the procedure owner and must be approved by management.