History

Priority

recommended

Nov 2018

Removed

Removed due to a merge of relevant content into security control 1211.

2017

Agencies should ensure their change management process includes:• a policy which identifies which changes need to go through the formal change managementprocess• documenting the changes to be implemented• formal approval of the change request• maintaining and auditing logs of all changes• conducting vulnerability management activities when significant changes have been madeto the system• testing and implementing the approved changes• updating the relevant information security documentation including the SRMP, SSPand SOPs• notifying and educating users of the changes that have been implemented as close aspossible to the time the change is applied• continually educating users in regard to changes.

2015

Agencies should ensure their change management process includes:• a policy which identifies which changes need to go through the formal change managementprocess• documenting the changes to be implemented• formal approval of the change request• maintaining and auditing logs of all changes• conducting vulnerability management activities when significant changes have been madeto the system• testing and implementing the approved changes• updating the relevant information security documentation including the SRMP, SSP andSOPs• notifying and educating users of the changes that have been implemented as close aspossible to the time the change is applied• continually educating users in regard to changes.

2010

It is recommended agencies use the following change management process:••••••produce a written change requestsubmit the change request for approvaldocument the changes to be implementedimplement and test the approved changesupdate the relevant information security documentation including the SRMP, SSP and SOPsnotify and educate system users of the changes that have been implemented as close as possible to thetime the change is applied• continually educate system users in regard to changes.