Page:
security-change-management
Pages
Home
development architecture
development conventions
development patterns
development setup
development
features
governance
learnings
product-data-capture-analysis
product-observability-user-stories
product roadmap
product-user-guide
product vision
product
releases
security-access-control
security-audit-trail
security-change-management
security-incident-response
security-information-security-policy
security-risk-register
security
No results
1
security-change-management
Jochem de Boer edited this page 2026-04-13 14:33:49 +00:00
Table of Contents
Change Management
Overview
All changes to production systems follow a structured SDLC workflow that provides traceability from requirement to deployment.
Change Process
- Requirements — Feature requirements are captured as PREQ issues and approved by a human before proceeding
- Planning — Technical plan created, decomposed into SREQs, approach approved by human
- Development — Code implemented following TDD, code review performed by automated agents
- Validation — E2E testing, UAT performed by human
- Integration — Merged to integration branch after all checks pass
- Release — Deployed to production
Human Approval Gates
| Gate | Who Approves | What They Review |
|---|---|---|
| PREQ Approval | Product owner | Requirements completeness and correctness |
| Plan Approval | Technical lead | Architecture decisions and approach |
| UAT | Product owner | Feature works as specified |
Emergency Changes
Process for urgent production fixes that bypass normal flow.
Evidence
Each change produces:
- PREQ issue (requirements traceability)
- SREQ issues (implementation traceability)
- Code review report (review evidence)
- E2E report (test evidence)
- Git commits with conventional messages (audit trail)
Last reviewed: Not yet reviewed
Product
Development
Security & Compliance