ID.RA-07.169

Does your organization have formal procedures for documenting, reviewing, testing, and approving changes and exceptions to systems and applications?

Explanation

This question assesses whether your organization has established a structured change management process that requires proper documentation, review, testing, and approval before implementing changes or granting exceptions to security controls. Without formal procedures, changes may be implemented inconsistently, potentially introducing security vulnerabilities or operational issues.A comprehensive change management procedure helps maintain system integrity, ensures changes are properly vetted, and creates accountability. It also helps track modifications to systems over time, which is valuable for troubleshooting and compliance purposes. Evidence could include a formal change management policy document, change request forms with approval workflows, documentation of testing procedures for changes, and records of past change requests showing the full approval cycle.

Implementation Example

Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions

ID: ID.RA-07.169

Context

Function
ID: IDENTIFY
Category
ID.RA: Risk Assessment
Sub-Category
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron