Initial commit

05-guidance/secure-change-and-deployment-guidance.md

@@ -0,0 +1,57 @@
+# Secure Change And Deployment Guidance
+
+## Purpose
+
+This guidance note helps engineering and operational teams apply the change and deployment controls consistently in a cloud-native environment.
+
+## Key Principle
+
+The goal is not to slow change down. The goal is to make production change deliberate, traceable, and recoverable.
+
+## What Deserves More Scrutiny
+
+Higher-risk changes usually include:
+
+- authentication or authorisation changes
+- changes affecting production access or secrets
+- Kubernetes or infrastructure changes
+- CI/CD pipeline changes
+- logging or monitoring changes
+- customer-impacting configuration changes
+
+## Minimum Practical Checks Before Deployment
+
+Before a production deployment, confirm:
+
+- the change is reviewed and approved at the right level
+- the deployment path is the approved one
+- rollback or recovery is understood
+- monitoring exists to detect failure quickly
+- any customer or operational communication need is understood
+
+## Emergency Change Discipline
+
+Emergency change does not mean uncontrolled change. If a shortcut is needed during an incident or outage, the record still needs to show:
+
+- why the shortcut was necessary
+- who made the decision
+- what was changed
+- what retrospective review is required
+
+## Evidence To Keep
+
+Useful deployment evidence often includes:
+
+- change approval
+- code review or pipeline traceability
+- deployment timestamp
+- deployment owner
+- validation results
+- rollback or follow-up actions where relevant
+
+## Related Documents
+
+- `../../01-policies/change-management-policy.md`
+- `../../02-standards/ci-cd-security-standard.md`
+- `../../03-procedures/change-approval-procedure.md`
+- `../../03-procedures/production-deployment-procedure.md`