# Change management

<table><thead><tr><th width="138">Check ID</th><th>GOV_0001</th></tr></thead><tbody><tr><td>Category</td><td>Compliance</td></tr><tr><td>Summary</td><td><strong>Change Management</strong> ensures that all application and configuration changes are traceable, governed, and properly controlled. Based on the selected Coverage Profile, it verifies deployment traceability, approval before release, rollback registration, and—at the strictest level—independent review (separation of duties). Compliance is continuously evaluated using audit event evidence across the selected environments.</td></tr><tr><td>Options</td><td><p></p><ul><li><strong>Coverage Profile</strong> – Defines how rigorously the control is evaluated. It determines which audit events are required as evidence, what governance conditions must be met, and how strictly compliance is assessed.</li><li><strong>Environment Scope</strong> – Defines where the control applies. It determines which environment types (e.g., Production, Acceptance, Development) are evaluated for compliance with the selected Coverage Profile.</li></ul></td></tr></tbody></table>

### Coverage Profiles

The table below describes the coverage profiles available for this control. For a general understanding of how coverage profiles work please see the [Controls](https://docs.bluestorm.io/checks/governance_control) page.

<table><thead><tr><th width="118.5">Coverage Profile</th><th width="198.5">Profile Description</th><th width="204">Evidence Event Codes</th><th>Coverage Profile Description</th></tr></thead><tbody><tr><td><strong>Basic</strong></td><td>Traceability of changes: deployment lifecycle + configuration changes.</td><td><p><code>DEPLOY_STARTED</code></p><p><code>DEPLOY_COMPLETED</code></p><p><code>DEPLOY_FAILED</code></p><p><code>CONFIG_CHANGED</code></p></td><td><p>1. Revision changes are always linked to a release.</p><p>2. Configuration changes are always linked to a release.</p></td></tr><tr><td><strong>Standard</strong></td><td>Adds governance and recoverability evidence: approvals and rollback activity.</td><td><p><code>DEPLOY_STARTED</code></p><p><code>DEPLOY_COMPLETED</code></p><p><code>DEPLOY_FAILED</code></p><p><code>CONFIG_CHANGED</code></p><p><code>CHANGE_APPROVED</code></p><p><code>ROLLBACK_EXECUTED</code></p></td><td><p>1. Revision changes are always linked to a release.</p><p>2. Configuration changes are always linked to a release.</p><p>3. Deployments are always associated with an approval.</p><p>4. Rollbacks are always registered.</p></td></tr><tr><td><strong>Strict</strong></td><td>Adds explicit review evidence (separation of duties) on top of approvals and rollback activity.</td><td><p><code>DEPLOY_STARTED</code></p><p><code>DEPLOY_COMPLETED</code></p><p><code>DEPLOY_FAILED</code></p><p><code>CONFIG_CHANGED</code></p><p><code>CHANGE_APPROVED</code></p><p><code>ROLLBACK_EXECUTED</code></p><p><code>CHANGE_REVIEW_COMPLETED</code></p></td><td><p>1. Revision changes are always linked to a release.</p><p>2. Configuration changes are always linked to a release.</p><p>3. Deployments are always associated with an approval.</p><p>4. Rollbacks are always registered.</p><p>5. Change review (policy check) is always associated with a release.</p></td></tr></tbody></table>