Skip to contentCYBERINFO
|

Control 8.32 : Change Management

Summary

Changes to information processing facilities and systems should be subject to change management procedures. This ensures that all modifications are planned, documented, tested, and approved to minimize the risk of service disruption or security gaps.

Applicability

In-Scope: Mandatory for all organizations. It is the primary control for maintaining system integrity and ensuring that the organization remains in a known-good state after every technical update.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Change Tracking: Use a restricted SharePoint List or Microsoft Planner to document all requested changes, including the risk assessment and back-out plan.

  • Audit Logging: Monitor the Entra ID Audit Logs and Azure Activity Logs to verify that all changes made to the tenant configuration match an approved change request.

  • Infrastructure as Code (IaC): Use Bicep or Terraform templates stored in a version-controlled repository to manage environment changes, ensuring every modification is peer-reviewed and documented.

Evidence Checklist

  • Change Management Policy: Documented procedures for requesting, testing, approving, and implementing technical changes.

  • Change Request Records: A history of recent changes including the description, impact analysis, and formal approval by the Change Advisory Board (CAB) or manager.

  • Back-out Plans: Evidence that every major change has a documented method to revert the system if the implementation fails.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for handling an emergency change that must be implemented outside of the standard review cycle?

  • How do you ensure that the person requesting the change is not the same person who formally approves it (Segregation of Duties)?

  • Can you provide the documentation for a recent major system change, including the test results and the formal sign-off?

  • How does the organization identify and address unauthorized changes that were made to the system without a corresponding change request?