CCC-05: Change Agreements

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.

Implementation Guidance

Processes and procedures established by both the CSP and CSC should reflect respective change management responsibilities with respect to the scope of services being provided and/or consumed. There should be acknowledgement of each party's responsibility, where applicable and it should be part of a written change management agreement between CSC and CSP. The acknowledgment should include a reference to limitations related to changes impacting CSC-owned environments/tenants. NOTE: The CSP may need to apply changes that impact CSC-owned environments/tenants without the explicit authorization of the CSC (in case those changes would be required for the overall security of the CSP system). If those types of changes are applied, the CSC should be consulted promptly.

Auditing Guidance

  1. Examine policy and/or procedures related to change management to determine whether provisions are included for limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.
  2. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or relevant stakeholders, as needed, for change agreements and determine if the policy control requirements stipulated in the policy have been implemented.
  3. Examine measures that evaluate the organization's change agreement policy and determine if these measures are implemented according to policy control requirements.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.