Are production changes documented in a ticket, peer-reviewed, approved and traceable to the deployed artefact?
Demonstrate that all production changes are initiated through a documented ticketing system, subjected to peer review and formal approval prior to deployment, and that deployed artifacts can be traced back to their originating change tickets.
Description
What this control does
This control ensures all production changes follow a structured change management process requiring formal documentation, technical peer review, managerial approval, and full traceability between approved change tickets and deployed code or configuration artifacts. Each production deployment must be linked to a corresponding ticket that records the change request, review comments, approvals, and deployment evidence. This control supports audit trails, reduces unauthorized changes, and enables forensic analysis when incidents occur.
Control objective
What auditing this proves
Demonstrate that all production changes are initiated through a documented ticketing system, subjected to peer review and formal approval prior to deployment, and that deployed artifacts can be traced back to their originating change tickets.
Associated risks
Risks this control addresses
- Unauthorized or rogue changes deployed to production by individuals bypassing formal approval workflows
- Deployment of defective or vulnerable code due to absence of technical peer review before release
- Inability to identify root cause during incident response because change history is incomplete or absent
- Compliance violations resulting from undocumented changes to systems processing sensitive data
- Configuration drift and environment instability caused by ad-hoc modifications lacking formal tracking
- Insider threats exploiting gaps in oversight to introduce backdoors or malicious logic
- Failed rollback attempts during outages due to lack of traceability between deployed artifacts and approved change records
Testing procedure
How an auditor verifies this control
- Obtain the organization's change management policy and procedure documentation that defines ticket creation, peer review, approval requirements, and traceability standards for production changes
- Identify all systems, tools, and repositories used for change ticketing (e.g., Jira, ServiceNow), code repositories (e.g., GitHub, GitLab), and deployment pipelines during the audit period
- Select a representative sample of 25-40 production changes across the audit period, stratified by application, infrastructure type, and change complexity
- For each sampled change, retrieve the originating ticket and verify it contains required fields: change description, requester, business justification, implementation plan, and rollback procedure
- Review ticket audit logs or approval workflows to confirm peer review occurred by qualified personnel and formal approval was granted by authorized change approvers prior to deployment
- Examine deployment logs, CI/CD pipeline execution records, or release manifests to identify the specific artifact (commit hash, container image tag, configuration version) that was deployed to production
- Trace each deployed artifact back to its originating ticket by validating references such as ticket IDs in commit messages, build metadata, or deployment logs, confirming bidirectional traceability
- Test a sample of recent production deployments by interviewing DevOps personnel and reviewing access logs to confirm no unauthorized direct access or emergency changes bypassed the documented process