Change management

Category

Compliance

Summary

Change Management ensures that all application and configuration changes are traceable, governed, and properly controlled. Based on the selected Coverage Profile, it verifies deployment traceability, approval before release, rollback registration, and—at the strictest level—independent review (separation of duties). Compliance is continuously evaluated using audit event evidence across the selected environments.

Options

• Coverage Profile – Defines how rigorously the control is evaluated. It determines which audit events are required as evidence, what governance conditions must be met, and how strictly compliance is assessed.

• Environment Scope – Defines where the control applies. It determines which environment types (e.g., Production, Acceptance, Development) are evaluated for compliance with the selected Coverage Profile.

Basic

Traceability of changes: deployment lifecycle + configuration changes.

DEPLOY_STARTED

DEPLOY_COMPLETED

DEPLOY_FAILED

CONFIG_CHANGED

1. Revision changes are always linked to a release.

2. Configuration changes are always linked to a release.

Standard

Adds governance and recoverability evidence: approvals and rollback activity.

DEPLOY_STARTED

DEPLOY_COMPLETED

DEPLOY_FAILED

CONFIG_CHANGED

CHANGE_APPROVED

ROLLBACK_EXECUTED

1. Revision changes are always linked to a release.

2. Configuration changes are always linked to a release.

3. Deployments are always associated with an approval.

4. Rollbacks are always registered.

Strict

Adds explicit review evidence (separation of duties) on top of approvals and rollback activity.

DEPLOY_STARTED

DEPLOY_COMPLETED

DEPLOY_FAILED

CONFIG_CHANGED

CHANGE_APPROVED

ROLLBACK_EXECUTED

CHANGE_REVIEW_COMPLETED

1. Revision changes are always linked to a release.

2. Configuration changes are always linked to a release.

3. Deployments are always associated with an approval.

4. Rollbacks are always registered.

5. Change review (policy check) is always associated with a release.