CM-16 Change Management

SDLC Methodology

Development follows a defined, gated lifecycle.

Domain: Change Management
Control type: Preventive
Automated / manual: Manual
Frequency: Per project
Framework reference: COBIT BAI02/BAI03

What good looks like

A defined SDLC governs development with phase gates and required deliverables.

Risk if it fails

Poorly controlled, insecure or unfit systems.

How Tess tests it

2 tests — each concludes only on cited evidence.

SDLC with phase gates & deliverables defined

Design

Procedure: Inspect the SDLC.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: SDLC policy, project artefacts.

SDLC applied to sampled project

Operating

Procedure: Inspect project artefacts.
Expected: Gate artefacts evidenced.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: SDLC policy, project artefacts.

Evidence Tess looks for

SDLC policy, project artefacts.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-16 against your evidence?