Control Statement

The standard change management process is documented in a change control workflow.

Context

Having a structured workflow and guidance on change management helps reduce the risk of IllumiDesk experiencing platform or application instability by increasing the predictability and reproducibility of the change management process.

Scope

This control applies to all systems within our IllumiDesk.com production environment. The production environment includes all endpoints and cloud assets used in hosting IllumiDesk.com and its subdomains. This doesn't include third-party systems that support the business of IllumiDesk.com, which can be found in CM.3.01.

Ownership

• Control Owner: Infrastructure

• Process owner(s):

  • Infrastructure

Guidance

Change management encapulates multiple types of changes within our business environment.

The two primary production changes are infrastructure changes and source code changes to IllumiDesk service itself.

• Infrastructure changes are done in accordance with the Change Management process.

• Code changes are made in accordance to our contribution, review, and approval processes, which is described as part of the Service Lifecycle Workflow control.

Third-party systems, the data warehouse, and financial changes are related to the Business Technology Change Management Workflow.

Additionally, any changes to the IllumiDesk handbook utilizes IllumiDesk.com version control system.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Change Management Workflow control issue.

Examples of evidence an auditor might request to satisfy this control:

• Copy of the IllumiDesk change management workflow

• Sample of issues or other documentation showing the change management workflow is followed

Framework Mapping

• SOC2 CC

  • CC2.3

  • CC8.1