Change management — IT systems, configuration, supplier services, risk
Primary statement
Change management operates as a documented discipline: (1) all changes to IT systems pass through change management procedures (ISO A.8.32); (2) configuration management practices established and applied (NIST PR.PS-01 + ISO A.8.9); (3) changes and exceptions to risk are managed, assessed, recorded, tracked (NIST ID.RA-07); (4) supplier service changes monitored, reviewed, evaluated, managed (ISO A.5.22); (5) critical mission function consideration for post-incident operational norms (NIST RC.RP-04); (6) RBI ITGRCA IM.18 classifies changes Standard/Normal/Emergency with CAB approval for non-standard.
Audit-fatigue payoff
A unified change management programme — change classification + CAB + configuration management + supplier change tracking + exception register — satisfies change requirements across all 8 contributing frameworks. The Standard/Normal/Emergency classification (RBI ITGRCA IM.18) is the audit-defensible classification model.
Strictness matrix
Scope
Scope: ALL changes to information processing facilities and information systems. No category exempt without documented exception process. Includes supplier service changes (A.5.22).
Ceiling source: iso27001:A.8.32
Rationale: ISO 27001 A.8.32 universal scope is the audit-defensible specification.
Threshold
Threshold for risk-impacting changes: assessed for risk impact, recorded, tracked. Exceptions to risk are managed with the same discipline as changes. The risk assessment is the binary threshold — high-risk changes require explicit risk approval.
Ceiling source: nist_csf:ID.RA-07
Rationale: NIST CSF ID.RA-07 risk-impact assessment is the audit-defensible threshold.
Method
Method: (1) change classification (Standard / Normal / Emergency); (2) CAB approval for non-standard changes; (3) risk assessment per change (NIST ID.RA-07); (4) configuration management integration (ISO A.8.9 + NIST PR.PS-01); (5) testing in non-production before production deployment; (6) rollback plan documented; (7) post-implementation review; (8) supplier change management (ISO A.5.22); (9) exception register with explicit risk acceptance; (10) integration with vulnerability and patch management (cl-vuln-identification).
Ceiling source: iso27001:A.8.32
Rationale: ISO 27001 A.8.32 method combined with NIST ID.RA-07 risk integration is the most prescriptive.
Frequency
Change processing: per change. CAB cadence: weekly typical + emergency-CAB on demand. Configuration baseline assessment: quarterly (per cl-hardening). Supplier change review: per supplier service change + annual review. Exception register review: quarterly.
Ceiling source: iso27001:A.8.32
Rationale: Weekly CAB cadence with emergency-on-demand is the standard cadence.
Evidence
Required evidence: (1) change management procedure; (2) change records with classification, risk assessment, approvals; (3) CAB minutes; (4) configuration baseline records; (5) testing evidence per change; (6) rollback plans; (7) post-implementation review records; (8) supplier change tracking; (9) exception register with risk acceptance.
Ceiling source: iso27001:A.8.32
Rationale: ISO 27001 A.8.32 evidence list with CAB minutes is comprehensive.
Auditor test pattern
Step 1: Inspect the change management procedure with classification model. Step 2: Sample 3 changes; verify classification, risk assessment, approval. Step 3: For one emergency change, verify post-hoc CAB review. Step 4: Inspect configuration management integration. Step 5: For one supplier service change, verify monitoring/review evidence. Step 6: Inspect exception register; verify exceptions are risk-accepted.
Common findings
Common 2024–26 findings: (1) Emergency changes bypass CAB without post-hoc review; (2) Risk assessment per change is checkbox, not substantive; (3) Configuration management de-coupled from change management; (4) Supplier service changes not tracked — vendor self-reports; (5) Exception register grows without periodic re-acceptance; (6) Rollback plans documented but never tested.