CCC-01: Change Management Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: CCC-05: Production Changes, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). Review and update the policies and procedures at least annually.

Implementation Guidance

A documented and approved change management policy (and associated process documentation) should:

  1. Ensure that changes are tested, documented, risk assessed, and authorized in a consistent and timely manner. All changes (e.g., major, minor, and emergency and the qualifying criteria) in organization assets, applications, system software, and informational technology (IT) infrastructure (e.g., hardware, operating systems, communications equipment, and software) and associated configurations should be under the scope of the change management policy.
  2. Be communicated and made accessible to all employees and interested parties involved within the change management process (e.g., service/application owners, project leaders, IT, operating systems staff, contractors, etc.).
  3. Include the management of emergency changes.

Auditing Guidance

  1. Examine policy and procedures to determine if they cover necessary parts of change management, including scope, documentation, testing, approval, and emergency changes.
  2. Examine a sample record of changes to information assets, including systems, networks, and network services to determine if compliance is met with the organization's change management policy and procedures.
  3. Examine if the policy and procedures are reviewed and updated at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.