{"authors":[{"name":"Martin Stühmer","url":"https://daily-devops.net/authors/martin/"},{"name":"Jendrik Brack","url":"https://daily-devops.net/authors/jendrik/"}],"description":"Recent content in Governance \u0026 Compliance for .NET \u0026 Azure on Daily DevOps \u0026 .NET","favicon":"https://daily-devops.net/images/logo_hu_6465d873dfa490cf.png","feed_url":"https://daily-devops.net/tags/governance/feed.json","home_page_url":"https://daily-devops.net/tags/governance/","icon":"https://daily-devops.net/images/logo_hu_5926de77762241ba.png","items":[{"authors":[{"name":"Martin Stühmer","url":"https://daily-devops.net/authors/martin/"}],"content_html":"\u003cp\u003eEvery compliance audit eventually arrives at the same uncomfortable question: \u0026ldquo;Show me how you control changes to production systems.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eIf your answer involves developers pushing directly to the main branch, running deployment scripts from their laptops, or \u0026ldquo;we have a process document somewhere,\u0026rdquo; you\u0026rsquo;re not demonstrating compliance—you\u0026rsquo;re demonstrating risk. ISO/IEC 27001 doesn\u0026rsquo;t accept \u0026ldquo;we trust our developers\u0026rdquo; as a control mechanism. It requires demonstrable, auditable, technically enforced change management.\u003c/p\u003e\n\u003cp\u003eHere\u0026rsquo;s what I\u0026rsquo;ve learned from teams navigating ISO 27001 certification: the ones who struggle aren\u0026rsquo;t lacking documentation. They\u0026rsquo;re lacking technical controls that make compliance violations impossible. The ones who succeed embed compliance directly into their development workflow using tools they already have—specifically, GitHub\u0026rsquo;s branch protection and pull request mechanisms.\u003c/p\u003e\n\u003cp\u003eThis article examines how \u003ca href=\"https://www.iso.org/standard/27001\" target=\"_blank\" rel=\"noopener external noreferrer\"\u003eISO 27001\u003c/a\u003e Controls A.12.1 (Operational procedures and responsibilities) and A.14.2 (Security in development and support processes) translate into concrete GitHub configurations. Not theoretical compliance theater. Not checkbox exercises for auditors. Real technical controls that simultaneously improve code quality and satisfy audit requirements.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"the-compliance-gap-what-iso-27001-actually-requires\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#the-compliance-gap-what-iso-27001-actually-requires\" title=\"The Compliance Gap: What ISO 27001 Actually Requires\"\u003eThe Compliance Gap: What ISO 27001 Actually Requires\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eISO 27001 Control A.12.1.2 (Change management) states clearly: \u0026ldquo;Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eControl A.14.2.2 (System change control procedures) gets more specific: \u0026ldquo;Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eWhat does \u0026ldquo;controlled\u0026rdquo; mean in practical terms? It means you can demonstrate:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization\u003c/strong\u003e: Who approved this change for production deployment?\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview\u003c/strong\u003e: Who verified this change meets security and quality standards?\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTesting\u003c/strong\u003e: What evidence exists that this change was tested before production?\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTraceability\u003c/strong\u003e: Can you trace any production code back to the specific change request that introduced it?\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSegregation\u003c/strong\u003e: Are developers prevented from unilaterally deploying their own changes to production?\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuditability\u003c/strong\u003e: Can you reconstruct exactly what changed, when, and by whom?\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf you can\u0026rsquo;t answer these questions with concrete evidence—not process documents, but actual system logs and access controls—you don\u0026rsquo;t have change control. You have change chaos with documentation.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"the-fatal-pattern-uncontrolled-change-management\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#the-fatal-pattern-uncontrolled-change-management\" title=\"The Fatal Pattern: Uncontrolled Change Management\"\u003eThe Fatal Pattern: Uncontrolled Change Management\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eLet me show you what compliance violation looks like in practice. This is the pattern I\u0026rsquo;ve seen in countless pre-certification assessments:\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"fatal-example-the-we-trust-our-developers-approach\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#fatal-example-the-we-trust-our-developers-approach\" title=\"Fatal Example: The \u0026ldquo;We Trust Our Developers\u0026rdquo; Approach\"\u003eFatal Example: The \u0026ldquo;We Trust Our Developers\u0026rdquo; Approach\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Developer on their laptop, any Tuesday morning\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egit clone https://github.com/company/production-api\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003ecd\u003c/span\u003e production-api\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Make changes directly to main\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egit checkout main\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# ... make changes ...\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egit add .\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egit commit -m \u003cspan class=\"s2\"\u003e\u0026#34;fix bug\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003egit push origin main\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Deployment happens automatically from main branch\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Or worse: developer runs deployment script manually\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e./deploy-to-prod.sh\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eWhat\u0026rsquo;s wrong here?\u003c/strong\u003e Everything. Let\u0026rsquo;s enumerate the compliance failures:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eNo authorization control\u003c/strong\u003e: Any developer with write access can push to main\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNo mandatory review\u003c/strong\u003e: Changes reach production without peer review\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNo testing gate\u003c/strong\u003e: No required status checks, builds, or tests\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNo separation of duties\u003c/strong\u003e: Same person writes code and deploys to production\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeak audit trail\u003c/strong\u003e: Git log shows commits but not approval workflow\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNo rollback procedure\u003c/strong\u003e: No systematic way to revert changes safely\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmergency bypass\u003c/strong\u003e: \u0026ldquo;Hotfix\u0026rdquo; culture encourages skipping all controls \u0026ldquo;because urgent\u0026rdquo;\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThis pattern violates ISO 27001 fundamentally. You cannot demonstrate control. You cannot prove testing occurred. You cannot trace authorization. You cannot show segregation of duties.\u003c/p\u003e\n\u003cp\u003eWhen the auditor asks \u0026ldquo;show me how you prevent untested code from reaching production,\u0026rdquo; you have no technical answer. Only organizational promises that humans will follow the right process. That\u0026rsquo;s not a control. That\u0026rsquo;s hope.\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"the-hidden-risk-cultural-normalization\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#the-hidden-risk-cultural-normalization\" title=\"The Hidden Risk: Cultural Normalization\"\u003eThe Hidden Risk: Cultural Normalization\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003eThe insidious aspect of this pattern is how normal it feels. Developers are trusted professionals. They know the codebase. They understand the risks. Surely they won\u0026rsquo;t deploy broken code to production?\u003c/p\u003e\n\u003cp\u003eExcept they do. Not maliciously—accidentally. Under pressure. At 3 AM during an incident. When the customer is screaming. When the CEO is watching. Human processes fail under stress. That\u0026rsquo;s why ISO 27001 requires technical controls, not just process documentation.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"the-compliant-pattern-github-branch-protection\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#the-compliant-pattern-github-branch-protection\" title=\"The Compliant Pattern: GitHub Branch Protection\"\u003eThe Compliant Pattern: GitHub Branch Protection\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eNow let me show you what compliance looks like when embedded in technical controls:\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"correct-example-branch-protection--pull-request-workflow\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#correct-example-branch-protection--pull-request-workflow\" title=\"Correct Example: Branch Protection \u0026#43; Pull Request Workflow\"\u003eCorrect Example: Branch Protection + Pull Request Workflow\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eStep 1: \u003ca href=\"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches\" target=\"_blank\" rel=\"noopener external noreferrer\"\u003eBranch Protection\u003c/a\u003e Configuration\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# Branch protection rules for \u0026#39;main\u0026#39; branch\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# (Configured in GitHub repository Settings → Branches)\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eProtection Rules\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequire pull request before merging\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequire approvals\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"m\"\u003e2\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eDismiss stale reviews when new commits are pushed\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequire review from code owners\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequire status checks to pass before merging\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequire signed commits\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eInclude administrators\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✓\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eAllow force pushes\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✗\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eAllow deletions\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✗\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThis configuration ensures:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization\u003c/strong\u003e: Pull requests require explicit approval from designated reviewers\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview\u003c/strong\u003e: Minimum two approvals enforced technically, not by policy\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTesting\u003c/strong\u003e: Status checks must pass—builds, tests, security scans—before merge is possible\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSegregation\u003c/strong\u003e: No direct pushes to main, even for administrators\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTraceability\u003c/strong\u003e: Every change linked to a pull request with full discussion history\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuditability\u003c/strong\u003e: Complete record in GitHub audit log\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eStep 2: \u003ca href=\"https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners\" target=\"_blank\" rel=\"noopener external noreferrer\"\u003eCODEOWNERS\u003c/a\u003e File for Domain Expert Review\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-plaintext\" data-lang=\"plaintext\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e# .github/CODEOWNERS\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e# Default owners for everything\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e* @team-leads\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e# Database migrations require DBA (Database Administrator) approval\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e/database/migrations/** @database-team\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e# Infrastructure as code requires ops review\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e/infrastructure/** @ops-team @security-team\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e# Payment processing requires specialized review\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e/src/payments/** @payments-team @compliance-officer\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThe result:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMandatory expert review\u003c/strong\u003e: Security-sensitive areas automatically require security team approval\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistributed responsibility\u003c/strong\u003e: Domain experts own their areas explicitly\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompliance verification\u003c/strong\u003e: Specific reviewers (like compliance officers) for regulated components\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit evidence\u003c/strong\u003e: Pull request history shows which experts reviewed each change\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eStep 3: Required Status Checks\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# .github/workflows/pr-checks.yml\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ePull Request Checks\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eon\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003epull_request\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003ebranches\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003emain ]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ejobs\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003ebuild-and-test\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eruns-on\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eubuntu-latest\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003esteps\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003euses\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eactions/checkout@v4\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eBuild and test\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e|\u003c/span\u003e\u003cspan class=\"sd\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e          dotnet build --configuration Release\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e          dotnet test --configuration Release\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003esecurity-scan\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eruns-on\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eubuntu-latest\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003esteps\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003euses\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eactions/checkout@v4\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eRun security analysis\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003euses\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003egithub/codeql-action/analyze@v3\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eBenefits:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated testing gate\u003c/strong\u003e: Code must build, pass tests, and meet quality standards\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity verification\u003c/strong\u003e: Automated security scanning catches vulnerabilities before merge\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQuality enforcement\u003c/strong\u003e: Code formatting and static analysis prevent quality degradation\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompliance evidence\u003c/strong\u003e: Workflow run logs prove testing occurred\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eStep 4: Deployment Workflow with \u003ca href=\"https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment\" target=\"_blank\" rel=\"noopener external noreferrer\"\u003eEnvironment Protection\u003c/a\u003e\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# .github/workflows/deploy-production.yml\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eDeploy to Production\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eon\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003epush\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003ebranches\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003emain ]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ejobs\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003edeploy-production\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eruns-on\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eubuntu-latest\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eenvironment\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eproduction\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003esteps\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003euses\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eactions/checkout@v4\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eDeploy to production\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eaz webapp deploy --resource-group prod-rg --name api --src-path ./release.zip\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eVerify deployment\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ecurl -f https://api.company.com/health\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eEnvironment Protection Configuration:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# Settings → Environments → production\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eEnvironment Protection Rules\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eRequired reviewers\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e@\u003cspan class=\"l\"\u003eops-lead, @security-lead\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eWait timer\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"m\"\u003e5\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eminutes\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eDeployment branches\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003emain only\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThis delivers:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment authorization\u003c/strong\u003e: Production deployments require explicit approval from designated leads\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSegregation of duties\u003c/strong\u003e: Developers cannot trigger production deployments directly\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCooling-off period\u003c/strong\u003e: 5-minute wait prevents panic deployments\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated verification\u003c/strong\u003e: Smoke tests confirm deployment succeeded\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eComplete audit trail\u003c/strong\u003e: GitHub deployment history records who approved, when, and what was deployed\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\u003ch2 id=\"how-this-satisfies-iso-27001-audit-requirements\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#how-this-satisfies-iso-27001-audit-requirements\" title=\"How This Satisfies ISO 27001 Audit Requirements\"\u003eHow This Satisfies ISO 27001 Audit Requirements\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eLet\u0026rsquo;s map these technical controls directly to ISO 27001 requirements:\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"control-a1212-change-management\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#control-a1212-change-management\" title=\"Control A.12.1.2 (Change Management)\"\u003eControl A.12.1.2 (Change Management)\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e: \u0026ldquo;Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTechnical Evidence\u003c/strong\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePull request workflow demonstrates formal change control procedure\u003c/li\u003e\n\u003cli\u003eRequired approvals prove authorization before implementation\u003c/li\u003e\n\u003cli\u003eStatus checks demonstrate testing and security validation\u003c/li\u003e\n\u003cli\u003eGitHub audit log provides complete change history\u003c/li\u003e\n\u003cli\u003eCODEOWNERS ensures security team reviews security-sensitive changes\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\u003ch3 id=\"control-a1422-system-change-control-procedures\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#control-a1422-system-change-control-procedures\" title=\"Control A.14.2.2 (System Change Control Procedures)\"\u003eControl A.14.2.2 (System Change Control Procedures)\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e: \u0026ldquo;Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTechnical Evidence\u003c/strong\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBranch protection prevents uncontrolled changes\u003c/li\u003e\n\u003cli\u003eRequired status checks enforce testing in development lifecycle\u003c/li\u003e\n\u003cli\u003ePull request reviews document technical review process\u003c/li\u003e\n\u003cli\u003eDeployment workflows enforce controlled release procedures\u003c/li\u003e\n\u003cli\u003eEnvironment protection gates ensure authorization before production deployment\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\u003ch3 id=\"control-a1429-system-acceptance-testing\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#control-a1429-system-acceptance-testing\" title=\"Control A.14.2.9 (System Acceptance Testing)\"\u003eControl A.14.2.9 (System Acceptance Testing)\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e: \u0026ldquo;Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTechnical Evidence\u003c/strong\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRequired status checks include automated test execution\u003c/li\u003e\n\u003cli\u003eIntegration tests validate system behavior\u003c/li\u003e\n\u003cli\u003eSecurity scans verify security requirements\u003c/li\u003e\n\u003cli\u003eDeployment workflows include smoke tests for acceptance validation\u003c/li\u003e\n\u003cli\u003eTest execution logs prove testing occurred before production deployment\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\u003ch2 id=\"the-audit-evidence-package\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#the-audit-evidence-package\" title=\"The Audit Evidence Package\"\u003eThe Audit Evidence Package\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eWhen the auditor asks \u0026ldquo;show me your change control process,\u0026rdquo; you present:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eBranch Protection Configuration\u003c/strong\u003e: Screenshot or exported settings showing technical controls\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePull Request History\u003c/strong\u003e: Demonstrating approval workflow, reviewer identity, timestamp\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStatus Check Logs\u003c/strong\u003e: Showing builds, tests, security scans passed before merge\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCODEOWNERS File\u003c/strong\u003e: Proving security team mandatory review for security-sensitive code\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment History\u003c/strong\u003e: GitHub deployments page showing who approved, when deployed\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit Log Export\u003c/strong\u003e: Complete GitHub audit log showing access, approvals, merges\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRollback Procedure\u003c/strong\u003e: Documented process using Git tags and revert workflows\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThis is concrete, technical, auditable evidence. Not process documents. Not promises. System-enforced controls that make compliance violations technically impossible.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"rollback-procedures-the-missing-control\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#rollback-procedures-the-missing-control\" title=\"Rollback Procedures: The Missing Control\"\u003eRollback Procedures: The Missing Control\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eOne frequently overlooked aspect of ISO 27001 change control: demonstrable rollback capability. When a change causes a production incident, you need a systematic, tested procedure to revert to the last known good state.\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"rollback-workflow\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#rollback-workflow\" title=\"Rollback Workflow\"\u003eRollback Workflow\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# .github/workflows/rollback-production.yml\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eRollback Production\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eon\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003eworkflow_dispatch\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003einputs\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e\u003cspan class=\"nt\"\u003etarget_tag\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003edescription\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"s1\"\u003e\u0026#39;Git tag to rollback to (e.g., v2.1.4)\u0026#39;\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erequired\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"kc\"\u003etrue\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ejobs\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003erollback\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eruns-on\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eubuntu-latest\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eenvironment\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eproduction\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003esteps\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003euses\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eactions/checkout@v4\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003ewith\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e          \u003c/span\u003e\u003cspan class=\"nt\"\u003eref\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e${{ inputs.target_tag }}\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eDeploy rollback\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eaz webapp deploy --resource-group prod-rg --name api --src-path ./release.zip\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eVerify rollback\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ecurl -f https://api.company.com/health\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eKey outcomes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eControlled rollback\u003c/strong\u003e: Rollback requires same environment protection as deployment\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eValidation\u003c/strong\u003e: Ensures rollback target is a valid, previously deployed version\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit trail\u003c/strong\u003e: Records who executed rollback, to which version, and when\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTesting\u003c/strong\u003e: Automated smoke tests verify rollback succeeded\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\n\n\u003ch3 id=\"tagging-strategy-for-rollback\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#tagging-strategy-for-rollback\" title=\"Tagging Strategy for Rollback\"\u003eTagging Strategy for Rollback\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Automated tagging in deployment workflow\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Every successful production deployment creates a Git tag\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e- name: Tag successful deployment\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e  run: \u003cspan class=\"p\"\u003e|\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e    \u003cspan class=\"nv\"\u003eVERSION\u003c/span\u003e\u003cspan class=\"o\"\u003e=\u003c/span\u003e\u003cspan class=\"k\"\u003e$(\u003c/span\u003ecat version.txt\u003cspan class=\"k\"\u003e)\u003c/span\u003e  \u003cspan class=\"c1\"\u003e# e.g., 2.1.5\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e    git tag -a \u003cspan class=\"s2\"\u003e\u0026#34;v\u003c/span\u003e\u003cspan class=\"si\"\u003e${\u003c/span\u003e\u003cspan class=\"nv\"\u003eVERSION\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e -m \u003cspan class=\"s2\"\u003e\u0026#34;Production deployment \u003c/span\u003e\u003cspan class=\"k\"\u003e$(\u003c/span\u003edate -u\u003cspan class=\"k\"\u003e)\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e    git push origin \u003cspan class=\"s2\"\u003e\u0026#34;v\u003c/span\u003e\u003cspan class=\"si\"\u003e${\u003c/span\u003e\u003cspan class=\"nv\"\u003eVERSION\u003c/span\u003e\u003cspan class=\"si\"\u003e}\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThis creates a complete deployment history. Each tag represents a known-good production state. Rollback becomes straightforward: redeploy from a previous tag.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"common-pitfalls-where-teams-fail-compliance\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#common-pitfalls-where-teams-fail-compliance\" title=\"Common Pitfalls: Where Teams Fail Compliance\"\u003eCommon Pitfalls: Where Teams Fail Compliance\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eEven with these controls configured, I\u0026rsquo;ve seen teams accidentally violate their own compliance by:\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"pitfall-1-emergency-bypass-mechanisms\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#pitfall-1-emergency-bypass-mechanisms\" title=\"Pitfall 1: Emergency Bypass Mechanisms\"\u003ePitfall 1: Emergency Bypass Mechanisms\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# DON\u0026#39;T: \u0026#34;Break glass\u0026#34; override that defeats all controls\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# Some teams create a separate branch or emergency workflow\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# that bypasses required reviews \u0026#34;for emergencies\u0026#34;\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# This violates ISO 27001 immediately\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# Emergency changes must ALSO follow change control procedures\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eISO 27001 doesn\u0026rsquo;t have an \u0026ldquo;unless it\u0026rsquo;s urgent\u0026rdquo; exception. Emergency changes require expedited procedures with the same controls—faster approvals, not bypassed approvals.\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"pitfall-2-administrator-exemptions\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#pitfall-2-administrator-exemptions\" title=\"Pitfall 2: Administrator Exemptions\"\u003ePitfall 2: Administrator Exemptions\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# DON\u0026#39;T: Exclude administrators from branch protection\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eProtection Rules\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e- \u003cspan class=\"nt\"\u003eInclude administrators\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e✗ \u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"c\"\u003e# WRONG - creates compliance gap\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eIf administrators can bypass controls, auditors will note the gap. Include administrators in protection rules. If emergencies require override, use GitHub\u0026rsquo;s temporary bypass mechanism with full audit logging.\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"pitfall-3-manual-deployment-scripts\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#pitfall-3-manual-deployment-scripts\" title=\"Pitfall 3: Manual Deployment Scripts\"\u003ePitfall 3: Manual Deployment Scripts\u003c/a\u003e\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# DON\u0026#39;T: Deployment scripts runnable from developer laptops\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# Even if main branch is protected, if deployments happen manually\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e# you\u0026#39;ve lost segregation of duties\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e./deploy-prod.sh  \u003cspan class=\"c1\"\u003e# This should not exist\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eAll production deployments must flow through GitHub Actions with environment protection. No deployment scripts on developer machines. No SSH access to production servers. No \u0026ldquo;just this once because urgent.\u0026rdquo;\u003c/p\u003e\n\n\n\n\n\u003ch3 id=\"pitfall-4-incomplete-audit-logging\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#pitfall-4-incomplete-audit-logging\" title=\"Pitfall 4: Incomplete Audit Logging\"\u003ePitfall 4: Incomplete Audit Logging\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003eGitHub\u0026rsquo;s built-in \u003ca href=\"https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization\" target=\"_blank\" rel=\"noopener external noreferrer\"\u003eaudit log\u003c/a\u003e is extensive, but it has retention limits (90-180 days depending on plan). For long-term compliance, you need:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c\"\u003e# .github/workflows/export-audit-logs.yml\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eExport Audit Logs\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003eon\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003eschedule\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e- \u003cspan class=\"nt\"\u003ecron\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"s1\"\u003e\u0026#39;0 2 * * 0\u0026#39;\u003c/span\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"c\"\u003e# Weekly\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003ejobs\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e  \u003c/span\u003e\u003cspan class=\"nt\"\u003eexport\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003eruns-on\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eubuntu-latest\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e    \u003c/span\u003e\u003cspan class=\"nt\"\u003esteps\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e      \u003c/span\u003e- \u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eExport and archive audit logs\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e        \u003c/span\u003e\u003cspan class=\"nt\"\u003erun\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e|\u003c/span\u003e\u003cspan class=\"sd\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e          gh api /orgs/{org}/audit-log --paginate \u0026gt; audit-log-$(date +%Y%m%d).json\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e          az storage blob upload --account-name complianceaudit --container-name logs --file audit-log-*.json\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eISO 27001 expects audit logs retained for the full audit period (typically 3-7 years). GitHub\u0026rsquo;s retention isn\u0026rsquo;t sufficient. Export and archive.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"beyond-compliance-the-quality-benefits\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#beyond-compliance-the-quality-benefits\" title=\"Beyond Compliance: The Quality Benefits\"\u003eBeyond Compliance: The Quality Benefits\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eHere\u0026rsquo;s the pragmatic reality: these controls don\u0026rsquo;t just satisfy auditors. They improve code quality, reduce production incidents, and make teams more productive.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMandatory peer review catches bugs.\u003c/strong\u003e I\u0026rsquo;ve seen data from teams that introduced required reviews: production incident rates dropped 40-60% within three months. Not because developers suddenly got better at coding, but because a second set of eyes spotted issues before merge.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAutomated testing prevents regressions.\u003c/strong\u003e Required status checks mean broken code never reaches main branch. Test failures block merge. You catch problems in pull requests, not production.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSecurity scanning reduces vulnerabilities.\u003c/strong\u003e Automated CodeQL analysis and dependency scanning catch security issues before they ship. You fix them in development, not after exploitation.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDeployment gates prevent panic changes.\u003c/strong\u003e The 5-minute cooling-off period and required approval for production deployments stops teams from making panicked changes during incidents. You think first, deploy second.\u003c/p\u003e\n\u003cp\u003eISO 27001 compliance doesn\u0026rsquo;t fight against development velocity. It reinforces the practices that high-performing teams already use. The controls aren\u0026rsquo;t bureaucracy—they\u0026rsquo;re engineering discipline codified.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"practical-implementation-path\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#practical-implementation-path\" title=\"Practical Implementation Path\"\u003ePractical Implementation Path\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eIf you\u0026rsquo;re approaching ISO 27001 certification, here\u0026rsquo;s the pragmatic implementation sequence:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 1: Enable Branch Protection\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure main branch protection with pull request requirement\u003c/li\u003e\n\u003cli\u003eAdd minimum two required approvals\u003c/li\u003e\n\u003cli\u003ePrevent direct pushes to main\u003c/li\u003e\n\u003cli\u003eInclude administrators in restrictions\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 2: Implement Status Checks\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCreate GitHub Actions workflow for build + test\u003c/li\u003e\n\u003cli\u003eAdd security scanning (CodeQL)\u003c/li\u003e\n\u003cli\u003eAdd code quality checks\u003c/li\u003e\n\u003cli\u003eConfigure these as required status checks\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 3: Create CODEOWNERS\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify security-sensitive code paths\u003c/li\u003e\n\u003cli\u003eAssign domain experts as code owners\u003c/li\u003e\n\u003cli\u003eConfigure required review from code owners\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 4: Deploy Environment Protection\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCreate production environment in GitHub\u003c/li\u003e\n\u003cli\u003eConfigure required approvers (ops + security leads)\u003c/li\u003e\n\u003cli\u003eMigrate deployment workflows to use environment protection\u003c/li\u003e\n\u003cli\u003eRemove manual deployment scripts\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 5: Implement Rollback Procedures\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCreate rollback workflow with environment protection\u003c/li\u003e\n\u003cli\u003eImplement automated tagging for deployments\u003c/li\u003e\n\u003cli\u003eTest rollback procedure with non-production environment\u003c/li\u003e\n\u003cli\u003eDocument rollback process for operations team\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eWeek 6: Audit Log Archival\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSet up automated audit log export\u003c/li\u003e\n\u003cli\u003eConfigure long-term archival storage\u003c/li\u003e\n\u003cli\u003eVerify export and retrieval procedures\u003c/li\u003e\n\u003cli\u003eDocument retention policy\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis gives you six weeks to implement compliant change control. Not six months. Not a year-long initiative. Six weeks of focused engineering work.\u003c/p\u003e\n\n\n\n\n\u003ch2 id=\"conclusion-compliance-through-technical-control\"\u003e\u003ca href=\"/posts/change-control-github-branch-protection/#conclusion-compliance-through-technical-control\" title=\"Conclusion: Compliance Through Technical Control\"\u003eConclusion: Compliance Through Technical Control\u003c/a\u003e\u003c/h2\u003e\n\u003cp\u003eISO 27001 change control isn\u0026rsquo;t about documentation. It\u0026rsquo;s not about process manuals. It\u0026rsquo;s not about trusting humans to follow procedures under pressure.\u003c/p\u003e\n\u003cp\u003eIt\u0026rsquo;s about technical controls that make compliance violations impossible. Branch protection that prevents unreviewed code from reaching production. Required status checks that block merges when tests fail. Environment protection that demands explicit authorization before deployment. Audit logs that record every action, every approval, every change.\u003c/p\u003e\n\u003cp\u003eGitHub provides these controls natively. You don\u0026rsquo;t need expensive compliance platforms. You don\u0026rsquo;t need complex workflows. You don\u0026rsquo;t need bureaucratic overhead. You need to configure the tools you already have to enforce the controls ISO 27001 requires.\u003c/p\u003e\n\u003cp\u003eThe teams that struggle with compliance are the ones trying to prove they \u003cem\u003efollow\u003c/em\u003e processes. The teams that succeed are the ones who \u003cem\u003eenforce\u003c/em\u003e processes through technical controls. When the auditor asks \u0026ldquo;show me your change control,\u0026rdquo; you don\u0026rsquo;t present a process document. You show them your branch protection configuration, your pull request history, your deployment logs, your audit trail.\u003c/p\u003e\n\u003cp\u003eThat\u0026rsquo;s evidence. That\u0026rsquo;s compliance. That\u0026rsquo;s how modern software teams satisfy ISO 27001 without sacrificing development velocity or burying engineers in compliance theater.\u003c/p\u003e\n\u003cp\u003eConfigure these controls. Enforce them technically. Document the evidence. Pass the audit. Then get back to building software—knowing that your change control process is working in the background, preventing the catastrophic mistakes that destroy certifications and damage customer trust.\u003c/p\u003e\n","date_modified":"2026-05-26T10:22:03+02:00","date_published":"2026-02-26T17:00:00+01:00","id":"https://daily-devops.net/posts/change-control-github-branch-protection/","language":"en","summary":"\"We trust our developers\" fails audits. GitHub branch protection makes ISO 27001 change control technically enforceable, not just documented.","tags":["iso-standards","security","github","devops","governance"],"title":"Trust Is Not a Control: ISO 27001 Compliance via GitHub","url":"https://daily-devops.net/posts/change-control-github-branch-protection/"}],"language":"en","title":"Governance \u0026 Compliance for .NET \u0026 Azure on Daily DevOps \u0026 .NET","version":"https://jsonfeed.org/version/1.1"}