ID.RA-07.170

Does your organization document risks associated with proposed changes and provide rollback procedures for each change?

Explanation

Change management requires thorough risk assessment to understand potential impacts before implementation. Organizations should document both the risks of implementing a change (like service disruptions or security vulnerabilities) and the risks of not implementing it (such as remaining vulnerable to known threats). Additionally, having documented rollback procedures ensures that if a change causes unexpected issues, the organization can quickly restore systems to a known good state. Evidence could include change management documentation templates that include dedicated sections for risk assessment (both for implementing and not implementing) and rollback procedures, along with completed examples of recent change requests showing how these were documented in practice.

Implementation Example

Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes

ID: ID.RA-07.170

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub