CCC-03: Change Management Technology

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: CCC-05: Production Changes.

Control Statement

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

Implementation Guidance

The organization should: Collaborate with relevant internal and external parties involved in the change management process. Assess the impact and type of change to determine the risk of the change before it is applied. Adopt Change Management Technologies to manage the change management workflow. These tools should help adequately manage the authorization process, including activity logging. In addition, real-time reporting/monitoring capabilities should be implemented to monitor change progress so that quick decisions can be made to manage the risks of unforeseen issues due to the change implementation. Understanding how those relevant components impact the security and usability of the supply chain that supports organizational environments should be one aspect of such collaboration.

Auditing Guidance

  1. Examine policy related to the change management of assets.
  2. Examine the policy for the identification of risks arising from these changes being applied.
  3. Determine if assets are classified based on their management responsibility, and if these have specific risk profiles.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.