CM-08 Change Management

Code Review / Peer Approval

Code changes are independently reviewed before merge.

Domain: Change Management
Control type: Preventive
Automated / manual: Hybrid
Frequency: Per event
Framework reference: COBIT BAI03

What good looks like

Code changes require peer approval and protected branches before merge.

Risk if it fails

Defective/malicious code merged.

How Tess tests it

3 tests — each concludes only on cited evidence.

Branch protection requires review

Design

Procedure: Inspect VCS branch settings.
Expected: Enforced on main/release branches.
Sample: 1 (design inspection)
Evidence: PR approvals, branch-protection settings.

PRs approved by independent reviewer

Operating

Procedure: Sample merges.
Expected: Reviewer is not the author.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: PR approvals, branch-protection settings.

No direct pushes bypass review

Operating

Procedure: Inspect for bypasses.
Expected: Direct pushes blocked.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: PR approvals, branch-protection settings.

Evidence Tess looks for

PR approvals, branch-protection settings.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-08 against your evidence?