Does your organization document risks associated with proposed changes and provide rollback procedures for each change?
Explanation
Change management requires thorough risk assessment to understand potential impacts before implementation.
Organizations should document both the risks of implementing a change (like service disruptions or security vulnerabilities) and the risks of not implementing it (such as remaining vulnerable to known threats).
Additionally, having documented rollback procedures ensures that if a change causes unexpected issues, the organization can quickly restore systems to a known good state.
Evidence could include change management documentation templates that include dedicated sections for risk assessment (both for implementing and not implementing) and rollback procedures, along with completed examples of recent change requests showing how these were documented in practice.
Implementation Example
Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes
ID: ID.RA-07.170
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

