CM.L2-3.4.5—Access Restrictions for Change
Level 2
800-171: 3.4.5
>Control Description
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for controlling physical and logical access during changes?
- •How do you define and enforce access restrictions for change activities?
- •Who approves access needed for implementing changes?
- •How do you ensure temporary access for changes is removed afterward?
Technical Implementation:
- •What technical controls restrict who can make changes?
- •How do you implement change windows and access restrictions?
- •What privileged access management controls govern change access?
- •What audit logging captures who made what changes?
- •What approval workflows control access for changes?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.