3.3 KiB
#iso27002/2022/EN
8.32 Change management
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection |
Control Changes to information processing facilities and information systems should be subject to change management procedures.
Purpose To preserve information security when executing changes.
Guidance Introduction of new systems and major changes to existing systems should follow agreed rules and a formal process of documentation, specification, testing, quality control and managed implementation. Management responsibilities and procedures should be in place to ensure satisfactory control of all changes.
Change control procedures should be documented and enforced to ensure the confidentiality, integrity and availability of information in information processing facilities and information systems, for the entire system development life cycle from the early design stages through all subsequent maintenance efforts.
Wherever practicable, change control procedures for ICT infrastructure and software should be integrated.
The change control procedures should include:
a) planning and assessing the potential impact of changes considering all dependencies;
b) authorization of changes;
c) communicating changes to relevant interested parties;
d) tests and acceptance of tests for the changes (see 8.29);
e) implementation of changes including deployment plans;
f) emergency and contingency considerations including fall-back procedures;
g) maintaining records of changes that include all of the above;
h) ensuring that operating documentation (see 5.37) and user procedures are changed as necessary to remain appropriate;
i) ensuring that ICT continuity plans and response and recovery procedures (see 5.30) are changed as necessary to remain appropriate.
Other information Inadequate control of changes to information processing facilities and information systems is a common cause of system or security failures. Changes to the production environment, especially when transferring software from development to operational environment, can impact on the integrity and availability of applications.
Changing software can impact the production environment and vice versa.
Good practice includes the testing of ICT components in an environment segregated from both the production and development environments (see 8.31). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.
Production environment includes operating systems, databases and middleware platforms. The control should be applied for changes of applications and infrastructures.