ID.RA-07—Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
>Control Description
This risk assessment subcategory ensures that changes and exceptions are managed, assessed for risk impact, recorded, and tracked. Key activities include: Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions; Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes; Document the risks related to each requested exception and the plan for responding to those risks.
>Cross-Framework Mappings
PCI DSS v4.0.1
via NIST OLIR CatalogISO 27001:2022
via NIST OLIR Catalog>Informative References
Official NIST mappings to external frameworks and standards. Source: NIST CSF 2.0
CCMv4.0
A&A-05
AIS-06
CCC-02
CCC-03
CCC-06
CCC-08
CCC-09
CEK-05
+3 more
CRI Profile v2.0
ID.RA-07
ID.RA-07.01
ID.RA-07.02
ID.RA-07.03
ID.RA-07.04
ID.RA-07.05
CSF v1.1
PR.IP-3
CoP
A5
ISO/IEC 27001:2022
Mandatory Clause: 6.1.3
Annex A Controls: 8.32
NICE Framework
IO-WRL-006
OG-WRL-010
OG-WRL-011
OG-WRL-013
OG-WRL-014
PD-WRL-006
PD-WRL-007
PCI DSS
12.3.1
12.3.2
10.4.2.1
9.5.1.2.1
8.6.3
SCF
CHG-01
CHG-02
CHG-02.1
CHG-02.2
CHG-03
CHG-04
SP 800-171 Rev 3
03.04.03
03.04.04
SP 800-218
PO.5.2
SP 800-221A
MA.RI-3
SP 800-53 Rev 5.1.1
CA-07
CM-03
CM-04
SP 800-53 Rev 5.2.0
CA-07
CM-03
CM-04
SP-800-37 Rev 2
RMF Select Step: TASK S-4 Documentation of Planned Control Implementations
RMF Implement Step: TASK I-2 Update Control Implementation Information
RMF Assess Step: TASK A-6 Plan of Action and Milestones
Ask AI
Configure your API key to use AI features.