Change Control, Deployment Discipline, and SDLC Governance

This chapter covers the controls that govern how systems are changed without creating new risk. ISC often tests this area by asking whether modifications were authorized, tested, documented, and moved into production in a controlled way.

In This Chapter

• Change Control Concepts: Policies and Procedures introduces the rules that structure controlled system changes.
• Environments and Testing (Development, QA/Staging, Production) explains why separation of environments matters.
• Patch Management: Risks and Controls covers routine and urgent update risks.
• Continuous Integration and Continuous Deployment in Modern DevOps shows how change control works in faster release models.
• Systems Development Life Cycle (SDLC): Waterfall vs. Agile/DevOps compares development approaches and their control implications.

How to Use This Chapter

• Read this chapter when change-related questions blur together with general operations controls.
• Focus on what makes a change controlled from approval through deployment.
• Return here whenever an ISC scenario involves production changes, emergency fixes, or weak testing discipline.

In this section

• Change Control Policies, Procedures, and Authorization Standards
  Change control policies, procedures, and authorization standards.
• Environment Segregation, Testing Stages, and Production Protection
  Environment segregation, testing stages, and production protection.
• Patch Management, Testing, Rollback, and Control Monitoring
  Patch management, testing, rollback, and control monitoring.
• Continuous Integration, Delivery Pipelines, and DevOps Control Points
  CI/CD pipelines and DevOps control points.
• SDLC Models: Waterfall, Agile, DevOps, and Control Tradeoffs
  Waterfall, Agile, and DevOps SDLC control tradeoffs.