Change Records #
Control ID: SDLC-CTRL-0012 | Type: Detective
Summary #
All systems and services maintain a permanent record of changes, providing a forensic history of all deployments to production.
Mitigates Risk
SDLC-RISK-0002:
Insider Threat
SDLC-RISK-0006:
Audit and Compliance Failure
SDLC-RISK-0008:
Configuration Drift
Description #
Change records provide the audit trail required to meet change management obligations. By automatically logging all deployments and changes to production systems, the organisation maintains a permanent, tamper-evident record of what was deployed, when, and by whom.
This forensic history supports incident investigation, compliance reporting, and ongoing assurance that only approved software reaches production. Combined with deployment controls, change records enable both proactive gating and retrospective analysis of all changes.
Requirements #
- All deployments to production systems MUST be automatically recorded
- Change records MUST capture the artefact identity, deployment time, environment, and the actor who triggered the deployment
- Change records MUST be retained permanently or in accordance with applicable retention policies
- Change records MUST be protected from unauthorised modification or deletion
- Change records SHOULD be linked to the corresponding approval and compliance evidence
How we implement this control #
- We monitor production systems and automatically record a forensic history of all changes in Kosli using environment monitoring
- Environment records can be found here: https://app.kosli.com/kosli/environments/
Compliance Frameworks #
NIST SP 800-53 Rev. 5
- CM-3 — Configuration change control — requires all changes to be recorded, including what changed, when, and by whom.
- AU-3 — Content of audit records — change records must capture sufficient detail to reconstruct the sequence of events.
- AU-6 — Audit record review, analysis, and reporting — change records form the basis for ongoing review of deployment activity.
- AU-12 — Audit record generation — the system must automatically generate change records for all deployments.
- SI-12 — Information management and retention — change records must be retained in accordance with applicable policies.
SOC 2 Type II
- CC8.1 — Requires a record of all changes to production; change records provide the audit trail of what was deployed, when, and by whom.
- CC7.2 — Requires monitoring of system components for anomalies; change records enable detection of unauthorised or unexpected deployments.
- CC4.1 — Requires monitoring activities to ascertain whether controls are functioning; change records provide evidence for control effectiveness reviews.