PDP-8 Change Management Approvals

Estimated reading: 2 minutes 1688 views

What is PDP-8 Change Management Approvals Control?

The PDP-8 Change Management Approvals control says if any changes are deployed, they must be approved. Approvals can happen at many different stages and may involve many different stakeholders. This is at the discretion of each company.

However, it is crucial that before any change is deployed to production, it has received independent approval from a stakeholder other than the change coder. Approval evidence must be explicitly documented.

Available tools in the marketplace

No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

  • N/A: no template for this section

Control implementation

To implement this control,

You need to define and document a change management approval process in the change management policy, considering the following components:

  1. Enforcing approval within the tracking system or source code tool
  2. For each change, document the approval explicitly and ensure that the approver is separate from the development personnel who worked on the code (segregation of duties is important).

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. Provide the system configurations that show that code review is required in the workflow.
  2. Provide the most recent example of a change ticket showing explicit approval.

Evidence example

For the suggested action, an example is provided below:

  1. Provide the system configurations that show that code review is required in the workflow.
    The following screenshot demonstrates the branch rules for a PR (pull request). The PR requires at least one review. If you have such a configuration, provide it.
    Google search
    PDP 8 Change Management Approvals 01
    Here is another example of a workflow.
    PDP 8 Change Management Approvals 02
  2. Provide a  recent example of a change ticket showing explicit approval.
    The following screenshot shows TrustCloud’s example of the “approval” for one ticket. You need to upload the full ticket and ensure it showcases the approval.
    PDP 8 Change Management Approvals 03
    Here is another example: if approval is captured within a ticket,
    PDP 8 Change Management Approvals 04

Join the conversation

