CM-09 Change Management

Version Control / SCM

Source code integrity and history are maintained.

Domain: Change Management
Control type: Preventive
Automated / manual: Automated
Frequency: Continuous
Framework reference: COBIT BAI03

What good looks like

Source code in version control with access controls and full history.

Risk if it fails

Loss of code integrity/traceability.

How Tess tests it

3 tests — each concludes only on cited evidence.

Source in VCS with access control

Design

Procedure: Inspect the repositories.
Expected: Controlled repositories.
Sample: 1 (design inspection)
Evidence: Repository access listing, history sample.

Repo access restricted to authorised devs

Operating

Procedure: Reconcile repo access.
Expected: Appropriate access only.
Sample: 25 (or full config inspection)
Evidence: Repository access listing, history sample.

History intact/auditable

Operating

Procedure: Inspect protected-branch history.
Expected: No tampering/force-push on protected branches.
Sample: 25 (or full config inspection)
Evidence: Repository access listing, history sample.

Evidence Tess looks for

Repository access listing, history sample.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-09 against your evidence?