Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

19) Does your organisation have a formal change management process that gives consideration to information security?

August 30, 2022
IT Operations
Change Management

Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

Your organisation should run a change management process for any changes made to critical environments or systems. The change management process should:

  1. document the change;
  2. collect any approvals needed to perform the change;
  3. assess how the change may impact security and resilience of the systems;
  4. define a rollback plan that can be enacted if the change causes any system disruption.

Your change management process should include security input as a step in the process. This will enable you to forecast the effects of change through potential scenarios and security consequences on information resources, assist with more accurate forecasting of the cost of the change and potentially ensure that the change is in compliance with regulations and standards.

An efficient and effective change management process will allow you to decrease downtime within your systems and decrease the probability of new vulnerabilities being introduced with system changes, overall reducing the cost of your IT estate.

How to implement the control

Your change management process will depend on your organisation’s specific requirements around its IT environment. If you are deploying a SAAS produce through a CI/CD pipeline, the CI/CD pipeline may (if configured correctly) include all of the relevant steps required to satisfy your change management requirements.

If you are not building a SAAS product and are looking at managing changes to your IT environment your change process may be more manual, or you may wish to utilise a tool that has a change management component within it, such as an ITSM (IT Service Management) platform.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.