CM.L2-3.4.3—System Change Management
Level 2
800-171: 3.4.3
>Control Description
Track, review, approve or disapprove, and log changes to organizational systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your change management policy and process?
- •Who has authority to approve different types of changes?
- •How do you categorize changes (e.g., standard, normal, emergency)?
- •What is your change advisory board structure and meeting frequency?
- •How do you ensure all changes are properly documented and tracked?
Technical Implementation:
- •What change management tool tracks change requests (ServiceNow, Jira)?
- •How do you technically enforce approval before changes are implemented?
- •What workflow automation governs the change process?
- •What tools log all changes to systems?
- •How do you link changes back to approved change requests?
- •What rollback capabilities exist for failed changes?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.