Policies and procedures shall be established for managing the risks associated with applying changes to:
- Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations.
- Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment.
from Cloud Controls Matrix