We have to update our rule set from time to time for few risk definitions. We would like to have same rule IDs in all the prod and no prod GRC systems. In prod, we also assign a mitigation control to specific rule ID of an access risk (e.g. rule ID 00M1 rather than * during mitigation of a risk). If we update rule set in Dev and regenerate the updated part only, then transport the entire rule set from Dev all the way to Prod, do we have to generate the entire rule set in prod after the transport reaches the Prod?
If so, I am going to get different rule ID in prod than Dev. This means my mitigation controls assigned to risks at the level of rule IDs will be completely messed up s rule IDs will be different this time!
In summary; any advice on the best practice for 1) rule set update and 2) mitigation control assignment would be a great help.