Developers in multiple industries have faced issues due to system modifications or updates that were implemented without comprehensive review and testing. The evaluation of new software, code, or alterations in network configurations needs to be executed in a secure environment that shields the broader organization from potential dangers. Without adequate separation, testing environments can become targets for hackers seeking to access customer information.

ISVs use change controls to prevent unauthorized or untested changes from adding security risks to an app ecosystem. Having these safeguards in place can help prevent outages, disruptions, data loss, or corruption, making systems more susceptible to cyberattacks.

Change controls are the processes and procedures to manage changes in an organization’s systems or software. Validating that any requested changes have been carefully considered and documented. This involves evaluating how the change will affect system security, outlining recovery steps in case of issues, and specifying the testing required to confirm the change’s effectiveness.

Change controls help to minimize the risk of system outages and potential security incidents through improper changes being introduced. Ensuring that all changes are effectively managed, peer-reviewed, and adequately tested to validate apps are secure.

Microsoft 365 Certification validates change controls are in place

Microsoft 365 Certification validates that changes introduced to an app’s production environments are implemented through documented change requests. These change requests must contain information about the impact of the change, details of back-out procedures, testing to be carried out, and review and approval by authorized personnel.

Developers provide evidence showing that the approval process is being followed, which can be demonstrated with signed documents, tracking within change control systems, or using tools like Azure DevOps or JIRA to track requests and authorization.

Auditors will review evidence that development and testing/staging environments are distinctly separate, ensuring error reduction through stringent boundaries. Access controls are established to prevent unauthorized alterations or data leaks, and sensitive information is excluded from the testing area.

Next steps

To learn more on how Microsoft 365 Certification validates change controls are in place for your application, visit the Microsoft 365 Certification change controls evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.