CM-10 Change Management

Deployment Pipeline (CI/CD)

Releases run through a controlled, auditable mechanism.

Domain: Change Management
Control type: Preventive/Detective
Automated / manual: Automated
Frequency: Per event
Framework reference: COBIT BAI07

What good looks like

Deployments run via gated CI/CD with immutable, versioned artefacts.

Risk if it fails

Manual/untracked deployments.

How Tess tests it

4 tests — each concludes only on cited evidence.

Pipeline gates & artefact management defined

Design

Procedure: Inspect the pipeline.
Expected: Gated, versioned artefacts.
Sample: 1 (design inspection)
Evidence: Pipeline definitions, run logs, artefact registry.

Deployments via pipeline (not manual)

Operating

Procedure: Sample deployments.
Expected: Pipeline-executed.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Pipeline definitions, run logs, artefact registry.

Approval gate enforced in pipeline

Operating

Procedure: Inspect pipeline config.
Expected: Gate present and effective.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Pipeline definitions, run logs, artefact registry.

Build artefacts immutable/traceable

Operating

Procedure: Inspect the artefact registry.
Expected: Versioned and traceable.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Pipeline definitions, run logs, artefact registry.

Evidence Tess looks for

Pipeline definitions, run logs, artefact registry.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-10 against your evidence?