CM-14 Change Management

Infrastructure / IaC Changes

Infrastructure/cloud config changes are controlled.

Domain: Change Management
Control type: Preventive
Automated / manual: Automated
Frequency: Per event
Framework reference: COBIT BAI06; CSA CCM

What good looks like

IaC changes follow change control with peer review and automated policy checks.

Risk if it fails

Drift/misconfiguration in production infra.

How Tess tests it

3 tests — each concludes only on cited evidence.

IaC change workflow with policy checks defined

Design

Procedure: Inspect the workflow.
Expected: Defined with policy-as-code checks.
Sample: 1 (design inspection)
Evidence: IaC pull requests, policy-as-code results, apply logs.

Infra changes peer-reviewed

Operating

Procedure: Sample infra changes.
Expected: Reviewed before apply.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: IaC pull requests, policy-as-code results, apply logs.

Policy-as-code checks pass before apply

Operating

Procedure: Inspect check results.
Expected: Gated on passing checks.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: IaC pull requests, policy-as-code results, apply logs.

Evidence Tess looks for

IaC pull requests, policy-as-code results, apply logs.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-14 against your evidence?