As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, organization's should develop and implement robust change management procedures. These procedures must apply to all changes related to software, hardware, firmware components, ICT systems, and security parameters. The procedures must include the following critical elements:
- Conduct a formal verification process to ensure that all ICT security requirements have been met before any change is approved or implemented.
- The team requesting and implementing a change is independent from the team reviewing and approving the change, to prevent conflicts of interest and ensure objectivity.
Ensure there is a clear assignment of roles and responsibilities, covering:
- Specification and planning of changes
- Design of an adequate transition, ensuring operational continuity
- Controlled testing and finalization of the change
- Effective quality assurance throughout the change lifecycle.
Document and communicate the following details for every change:
- Purpose and scope of the change
- Timeline for implementation
- Expected outcomes of the change
- Fallback procedures and responsibilities, including: procedures for aborting a change and plans for recovering from failed or partial implementations.
Include specific protocols for handling urgent situations:
- Define emergency change procedures that still provide adequate safeguards despite their expedited nature.
Ensure that all emergency changes (including workarounds and patches): are documented, are re-evaluated and assessed post-implementation and undergo formal approval after deployment.
Procedure should also include a security impact assessment for each proposed change to identify its potential impact on existing ICT security measures.
