--- layout: handbook-page-toc title: "CM.1.02 - Change Approval Control Guidance" --- ## On this page {:.no_toc .hidden-md .hidden-lg} - TOC {:toc .hidden-md .hidden-lg} # CM.1.02 - Change Approval ## Control Statement Prior to introducing changes into the production environment, approval from authorized personnel is required based on the following: * Change description * Impact of change * Test results ## Context This control aims to ensure important information about the change, its impacts, and ability to revert the change are documented and a part of the approval process. This allows everyone involved to have the information they need to make informed decisions about and execute on a change effectively. It also sets out to ensure all changes which could impact GitLab customers, GitLab team-members, and partners are approved by the appropriate person(s). This control can be tested by reviewing the criticality 1 and 2 change issues in the `production` issue tracker. This testing is sufficient because the issue template contains a row naming the change reviewer(s) and a review of the issue activity can show whether the change reviewer(s) did approve of the change. ## Scope This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com. ## Ownership Control Owner: `Infrastructure` * Process owner(s): * Infrastructure ## Additional control information and project tracking Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/782). Examples of evidence an auditor might request to satisfy this control: * A copy of the Change Approval process for software and infrastructure, along with specific templates and workflows * Sample infrastructure Change Plans and related reviews/discussions * Sample Merge Request reviews and approvals ### Policy Reference * [Change Management](/handbook/engineering/infrastructure/change-management/) ## Framework Mapping * ISO * A.12.5.1 * A.14.2.3 * A.14.2.4 * A.14.2.8 * A.14.2.9 * SOC2 CC * CC8.1 * PCI * 1.1.1 * 10.4.2 * 6.3.2 * 6.4 * 6.4.5 * 6.4.5.1 * 6.4.5.2 * 6.4.5.3 * 6.4.5.4 * 6.4.6