CHM-02—Change Approval

>Control Description

Prior to introducing changes into the production environment, approval from authorized personnel is required based on the following: • change description • impact of change • test results • back-out plan

Theme

Process

Type

Preventive

Policy/Standard

Change Management Policy

>Implementation Guidance

1. Ensure that all the changes to the production environment are tracked in a Change Management tracking tool. All the change details should be documented. Some of the mandatory details for each change are: a. Change Description b. Change Impact c. Test Details d. Roll-out and Roll-back Plan e. Change Approval f. Change date and time 2. All the changes in the production environment should be approved by the authorized personnel prior to implementation. Make sure that the approver is independent of the change requestor and change implementor. If not, check that there a secondary approver to ensure segregation of duty is maintained. 3. Make sure that the deployment and change logs are retained as per organization's policy.

>Testing Procedure

1. Inspect Change Management tracking tool to determine that requirements prior to introducing changes into the production environment, approval from appropriate personnel is documented including the following: a. Change description b. Impact of change c. Test results d. Back-out procedures 2. For a sample of changes, inspect corresponding change tickets, and verify if it includes the following information: a. Change Description b. Impact of changes c. Roll back plan d. Evidence of successful testing documentation e. Approval of change prior to implementation 3. For the sampled changes, validate that the change was approved by a person independent of the person who requested or made the change. Alternatively, ensure that there is a second level of approval to ensure that segregation of duties is being maintained. 4. Inspect whether the change logs are retained as per the organization's policy.