Standard : Infrastructure is version controlled and peer reviewed

Purpose and Strategic Importance

This standard ensures infrastructure is managed as code—version controlled, peer reviewed, and tested before deployment. It brings rigour, traceability, and collaboration to infrastructure changes, reducing risk and improving quality.

Aligned to our "Infrastructure as Code (IaC) & Policy as Code" policy, this standard promotes shared ownership, continuous learning, and safer delivery. Without it, changes are harder to track, review, and recover from.

Strategic Impact

  • Improved delivery flow and operational efficiency
  • Reduced risk of outages or misconfigurations
  • Greater visibility and auditability of change history
  • Stronger system resilience and compliance posture

Risks of Not Having This Standard

  • Reduced ability to respond to change or failure
  • Accumulation of technical debt or friction
  • Poor developer experience and morale
  • Decreased confidence in releases and features
  • Misalignment between technical implementation and business priorities

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Infrastructure changes are made manually and owned by a few.
Little peer collaboration or shared understanding.
Process & Governance No formal change process exists.
Changes are often undocumented and hard to track.
Technology & Tools No version control is used for infrastructure.
Scripts may be stored locally or shared ad hoc.
Measurement & Metrics No visibility into the volume or impact of infrastructure changes.

Level 2 – Managed

Category Description
People & Culture Engineers begin to adopt version control, but reviews are ad hoc or optional.
Process & Governance Some teams create tickets or change logs, but processes are not standardised.
Technology & Tools IaC is stored in Git or similar systems, but peer review is not enforced.
Measurement & Metrics Major incidents may be retrospectively linked to unreviewed changes.

Level 3 – Defined

Category Description
People & Culture Peer review becomes a cultural norm.
Teams value shared responsibility for infrastructure quality.
Process & Governance All infrastructure changes require pull requests and approvals.
Rollback plans and validations are standard.
Technology & Tools Infrastructure changes are tested via automated pipelines before deployment.
Measurement & Metrics Change failure rates, time to deploy, and test pass rates are routinely tracked.

Level 4 – Quantitatively Managed

Category Description
People & Culture Engineers use feedback from reviews to improve code quality.
Peer learning is embedded into review processes.
Process & Governance Change processes are policy-driven and enforced consistently across environments.
Technology & Tools Tools measure test coverage, compliance, and review turnaround time.
Measurement & Metrics Metrics are used to guide process improvements and detect patterns.

Level 5 – Optimising

Category Description
People & Culture Teams continuously reflect and refine infrastructure practices.
Reviews serve as coaching and design opportunities.
Process & Governance Risk-based and context-aware processes adapt based on system complexity and change history.
Technology & Tools Automated change pipelines include predictive quality checks and anomaly detection.
Measurement & Metrics Continuous improvement based on change insights and incident correlations.

Key Measures

  • % of infrastructure changes reviewed prior to deployment
  • % of infrastructure components tracked in version control
  • Average peer review turnaround time
  • Ratio of successful vs failed infrastructure changes
  • Change-induced incident rate over time