A.8.32 Change Management
-
Change Management Policy: A documented change management policy that outlines the organization's approach to managing changes to information systems, networks, applications, and infrastructure. The policy should define roles, responsibilities, and the change management process.
-
Change Management Process: Documentation of the step-by-step change management process, including the stages of change request submission, evaluation, approval, testing, implementation, and post-implementation review.
-
Change Requests: Records of change requests submitted by individuals or teams within the organization. These requests should include details such as the reason for the change, the scope of the change, the expected benefits, and the potential risks.
-
Change Evaluation and Approval: Evidence of how change requests are evaluated and approved. This may include approval forms, decision records, and documented risk assessments.
-
Testing and Validation: Proof that changes are thoroughly tested and validated before implementation. This should include test plans, test results, and sign-offs by relevant stakeholders.
-
Change Implementation Records: Documentation of the implementation of approved changes, including details of the date, time, and individuals responsible for the implementation.
-
Emergency Change Management: Evidence of how emergency changes are handled, including the criteria for classifying a change as an emergency and the process for expedited approval and implementation.
-
Backout Plans: Records of backout plans for changes in case they cause unexpected issues or disruptions. Backout plans should outline the steps to revert to the previous state if necessary.
-
Change Communication: Documentation of how change information is communicated to affected parties, stakeholders, and end-users. This may include email notifications, announcements, or training materials.
-
Change Documentation and Records: Comprehensive documentation of all changes, including change logs, change registers, and change history. This ensures a complete audit trail of all changes made to the organization's IT environment.
-
Change Review and Post-Implementation Review: Evidence of how changes are reviewed post-implementation to assess their effectiveness and any lessons learned. This helps improve the change management process and prevent recurring issues.
-
Change Control Board (CCB): Information about the CCB responsible for overseeing the change management process, including the composition of the board and meeting minutes.
-
Change Management Tools: Details of the tools and systems used to facilitate the change management process, such as change management software or ticketing systems.
As an auditor, I would review these pieces of evidence to assess the effectiveness and efficiency of the organization's change management process. The goal is to ensure that changes are managed in a controlled and secure manner to minimize the risk of disruptions, vulnerabilities, and unauthorized modifications to information systems and infrastructure.
