Topic

Change and configuration management plan

Applicable to

Non Classified, Official, Protected, Secret, Top Secret

History

Priority

recommended

Mar 2025

Reinstated

Systems have a change and configuration management plan that includes:
• what constitutes routine and urgent changes to the configuration of systems
• how changes to the configuration of systems will be requested, tracked and documented
• who needs to be consulted prior to routine and urgent changes to the configuration of systems
• who needs to approve routine and urgent changes to the configuration of systems
• who needs to be notified of routine and urgent changes to the configuration of systems
• what additional change management and configuration management processes and procedures need to be followed before, during and after routine and urgent changes to the configuration of systems.

The previously rescinded control on change management processes was reinstated and amended to cover the development of change and configuration management plans for systems, specifically: Systems have a change and configuration management plan that includes:
• what constitutes routine and urgent changes to the configuration of systems
• how changes to the configuration of systems will be requested, tracked and documented
• who needs to be consulted prior to routine and urgent changes to the configuration of systems
• who needs to approve routine and urgent changes to the configuration of systems
• who needs to be notified of routine and urgent changes to the configuration of systems
• what additional change management and configuration management processes and procedures need be to followed before, during and after routine and urgent changes to the configuration of systems.

Nov 2018

Removed

Removed due to a merge of relevant content into security control 1211.

2017

Agencies should ensure their change management process includes:• a policy which identifies which changes need to go through the formal change managementprocess• documenting the changes to be implemented• formal approval of the change request• maintaining and auditing logs of all changes• conducting vulnerability management activities when significant changes have been madeto the system• testing and implementing the approved changes• updating the relevant information security documentation including the SRMP, SSPand SOPs• notifying and educating users of the changes that have been implemented as close aspossible to the time the change is applied• continually educating users in regard to changes.

2015

Agencies should ensure their change management process includes:• a policy which identifies which changes need to go through the formal change managementprocess• documenting the changes to be implemented• formal approval of the change request• maintaining and auditing logs of all changes• conducting vulnerability management activities when significant changes have been madeto the system• testing and implementing the approved changes• updating the relevant information security documentation including the SRMP, SSP andSOPs• notifying and educating users of the changes that have been implemented as close aspossible to the time the change is applied• continually educating users in regard to changes.

2010

It is recommended agencies use the following change management process:••••••produce a written change requestsubmit the change request for approvaldocument the changes to be implementedimplement and test the approved changesupdate the relevant information security documentation including the SRMP, SSP and SOPsnotify and educate system users of the changes that have been implemented as close as possible to thetime the change is applied• continually educate system users in regard to changes.