2404.0—2404.0
>Control Description
The Supplier shall formally document, publish and review (minimum every 12 months) the change control procedures to manage changes to information systems, supporting infrastructure and facilities. The change management policy includes:
i) Definitions of the types of change (e.g. standard, critical, emergency) with associated processes
ii) Roles and responsibilities for those involved in the change or approving the change.
Prior to implementing any changes, Supplier shall:
i) Establish acceptance criteria for production change approval and implementation
ii) Require stakeholder approval prior to any change implementation
iii) Formally record the change in a centralised repository
iv) Document business impact analysis outcomes and document back-out procedures should the change fail
v) Keep a full audit trail of the change request, testing conducted, associated documentation, approvals and outcomes
vi) Document and record security impact analysis outcomes along with any mitigating actions.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.