General rules for reviewing, approving and publishing the code have been defined and enforced.
The rules may include e.g. the following things:
The rules are intended to manage the risks associated with the release of new program code.
Only pre-defined, authorized users are allowed to post changes to the code.
We have agreed and recorded policies to restore an earlier version of the software before implementing the releases.
Inadequate change management is a common cause of incidents for digital services.
An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following: