Deployment and Release Management

Why it matters

Uncontrolled or untested deployments introduce code defects, security vulnerabilities, and unauthorized changes directly into production, compromising system availability and data integrity. A weak release process bypasses the opportunity to catch misconfigurations, malicious code, or compliance violations before they impact customers. Without audit trails, you cannot investigate who deployed what and when, blocking forensic capability and violating SOC 2 CC8.1 requirements.

Evidence to collect

• Automated CI/CD pipeline configuration file (e.g., .github/workflows, .gitlab-ci.yml, or Jenkins declarative pipeline) showing test gates and approval stages
• Deployment log excerpts covering last 3 months showing timestamp, deployer identity, application/version deployed, and approval reference
• Screenshot of production deployment approval UI showing required manual gate (e.g., Jira deployment gate, GitLab environment protection, or equivalent)
• Security scanning tool integration evidence (e.g., SonarQube, Snyk, or SAST scan report) demonstrating scan execution in pipeline before deployment

Testing procedure

Request deployment logs for the past 60 days and verify every production deployment has an entry with deployer identity, timestamp, and approval reference. Trace 3–5 recent deployments through the CI/CD pipeline to confirm: (1) automated unit/integration tests ran and passed, (2) security scanning executed and did not block the pipeline (or was overridden with approval), and (3) a manual approval gate was triggered and documented. Confirm that deployment credentials (API keys, SSH keys) are stored separately from developer credentials and that the pipeline service account has minimal necessary permissions.

Common gotchas