T7.6.1 - CHANGE CONTROL PROCEDURES Implementation Guidance
The entity shall control the implementation of changes by the use of formal change control procedures.
Back to T7.6.1 - P3 - CHANGE CONTROL PROCEDURES
Formal change control procedures should be documented and enforced in order to minimize the corruption of information systems. Introduction of new systems and major changes to existing systems should follow a formal process of documentation, specification, testing, quality control, and managed implementation.
This process should include a risk assessment, analysis of the impacts of changes, and specification of security controls needed. This process should also ensure that existing security and control procedures are not compromised, that support programmers are given access only to those parts of the system necessary for their work, and that formal agreement and approval for any change is obtained.
Wherever practicable, application and operational change control procedures should be integrated. The change procedures should include:
- A. Maintaining a record of agreed authorization levels
- B. Ensuring changes are submitted by authorized users
- C. Reviewing controls and integrity procedures to ensure that they will not be compromised by the changes
- D. Identifying all software, information, database entities, and hardware that require amendment
- E. Obtaining formal approval for detailed proposals before work commences
- F. Ensuring authorized users accept changes prior to implementation
- G. Ensuring that the system documentation set is updated on the completion of each change and that old documentation is archived or disposed of
- H. Maintaining a version control for all software updates
- I. Maintaining an audit trail of all change requests
- J. Ensuring that operating documentation and user procedures are changed as necessary to remain appropriate
- K. Ensuring that the implementation of changes takes place at the right time and does not disturb the business processes involved
