CM.1.01_change_management_workflow.html.md 3.06 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "CM.1.01 - Change Management Workflow Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12

# CM.1.01 - Change Management Workflow
13 14 15

## Control Statement

Liz Coleman's avatar
Liz Coleman committed
16
The standard change management process is documented in a change control workflow. 
17 18 19 20 21 22 23

## Context

Having a structured workflow and guidance on change management helps reduce the risk of GitLab experiencing platform or application instability by increasing the predictability and reproducibility of the change management process.

## Scope

24
This control applies to all systems within our GitLab.com production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This doesn't include third-party systems that support the business of GitLab.com, which can be found in CM.3.01.
25 26 27

## Ownership

Luka Trbojevic's avatar
Luka Trbojevic committed
28 29 30
* Control Owner: `Infrastructure`
* Process owner(s):
    * Infrastructure
31

32 33
## Guidance

34 35 36
Change management encapulates multiple types of changes within our business environment. 

The two primary production changes are **infrastructure** changes and **source code** changes to gitlab service itself. 
Jeff Burrows's avatar
Jeff Burrows committed
37 38
* Infrastructure changes are done in accordance with the [Change Management](/handbook/engineering/infrastructure/change-management/) process.
* Code changes are made in accordance to our contribution, review, and approval processes, which is described as part of the [Service Lifecycle Workflow](/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html) control.
39

Jeff Burrows's avatar
Jeff Burrows committed
40
**Third-party systems**, the **data warehouse**, and **financial** changes are related to the [Business Technology Change Management Workflow](/handbook/business-ops/business-technology-change-management/).
41 42

Additionally, any changes to the GitLab [handbook](about.gitlab.com) utilizes [gitlab.com](gitlab.com) version control system.
43

44
## Additional control information and project tracking
45

Jeff Burrows's avatar
Jeff Burrows committed
46
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/781).
47

Luka Trbojevic's avatar
Luka Trbojevic committed
48 49 50 51 52
Examples of evidence an auditor might request to satisfy this control:

* Copy of the GitLab change management workflow
* Sample of issues or other documentation showing the change management workflow is followed

Luka Trbojevic's avatar
Luka Trbojevic committed
53 54
### Policy Reference

Jeff Burrows's avatar
Jeff Burrows committed
55 56 57
* [Change Management](/handbook/engineering/infrastructure/change-management/) 
* [Service Lifecycle Workflow](/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html)
* [Business Technology Change Management Workflow](/handbook/business-ops/business-technology-change-management/)
58

59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
## Framework Mapping

* ISO
  * A.12.1.2
  * A.12.6.2
  * A.14.2.1
  * A.14.2.2
  * A.14.2.4
* SOC2 CC
  * CC2.3
  * CC8.1
* PCI
  * 1.1.1
  * 10.4.2
  * 6.4
  * 6.4.5
  * 6.4.5.1
  * 6.4.5.2
  * 6.4.5.3
  * 6.4.5.4
  * 6.4.6