3.3.7 Change Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should define, approve and implement a change management process that controls all changes to information assets. The compliance with the process should be monitored and the effectiveness should be measured and periodically evaluated.
Objective
To ensure that all change in the information assets within the Member Organization follow a strict change control process.
Control considerations
| 1. | The change management process should be defined, approved and implemented. | |||
| 2. | The compliance with the change management process should be monitored. | |||
| 3. | The effectiveness of the cyber security controls within the change management process should be measured and periodically evaluated. | |||
| 4. | The change management process should include: | |||
| a. | cyber security requirements for controlling changes to information assets, such as assessing the impact of requested changes, classification of changes and the review of changes; | |||
| b. | security testing, which should (if applicable) include: | |||
| 1. | penetration testing; | |||
| 2. | code review if applications are developed internally; | |||
| 3. | code review of externally developed applications and if the source code is available | |||
| 4. | a code review report (or equivalent, such as an independent assurance statement) in case the source code cannot be provided; | |||
| c. | approval of changes by the business owner; | |||
| d. | approval from the cyber security function before submitting to Change Advisory Board (CAB); | |||
| e. | approval by CAB; | |||
| f. | post-implementation review of the related cyber security controls; | |||
| g. | development, testing and implementation are segregated for both the (technical) environment and involved individuals; | |||
| h. | the procedure for emergency changes and fixes; | |||
| i. | fall-back and roll-back procedures. | |||