3.4.2 Change Requirement Definition and Approval
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
Changes to information assets should be formally defined, documented and approved by relevant asset owner prior to implementing the change in the information assets.
Control Requirements
| 1. | Change requirements should be formally initiated by the requestor of the change. |
| 2. | Change requirements should specify both functional and non-functional requirements, where applicable. |
| 3. | Change requirements should be formally reviewed and approved by the concern asset owner. |
| 4. | Any changes in the information assets should be assessed for their impact on the systems prior to implement the change. |
| 5. | Any change in the information assets should be endorsed by the Change Advisory Board (48") prior deploying to the production environment. |
| 6. | Any changes in the information assets should be reviewed and approved by the cyber security function before submitting to ‘CAB’ (required as per SAMA Cyber Security Framework, 3.3.7 Change Management, Control Requirements, 4 - d). |