CM-03 Change Management

Change Authorisation

Changes reach production only after approval.

Domain: Change Management
Control type: Preventive
Automated / manual: Manual
Frequency: Per event
Framework reference: COBIT BAI06; MAS TRM – Change

What good looks like

Changes are approved by the designated authority before production migration.

Risk if it fails

Unauthorised changes deployed.

How Tess tests it

3 tests — each concludes only on cited evidence.

Approval authority/CAB defined

Design

Procedure: Inspect the authority matrix.
Expected: Approvers defined.
Sample: 1 (design inspection)
Evidence: Change approvals, deployment timestamps.

Approval obtained before deployment

Operating

Procedure: Sample changes; compare timestamps.
Expected: Approval precedes deployment.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Change approvals, deployment timestamps.

Approver authorised per matrix

Operating

Procedure: Inspect approver identity.
Expected: Correct authority approved.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Change approvals, deployment timestamps.

Evidence Tess looks for

Change approvals, deployment timestamps.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-04 Testing / UAT Before Production CM-05 Environment Segregation

Want Tess to test CM-03 against your evidence?