Did you establish a formal change management process where change requests go through an approval process before implementation?

Please specify which roles are allowed to approve which changes

Do change management and configuration controls exist, and are they implemented and documented?

If applicable, do you have separate environments for development, QA and production?

Is documentation describing known issues with certain products/services available?

Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?

Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities?