Skip to main content

CHG-02.2: Test, Validate & Document Changes

CHG 9 — Critical Protect

Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.

Control Question: Does the organization appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment?

General (35)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.4 CC8.1 CC8.1-POF10 CC8.1-POF13 CC8.1-POF16 CC8.1-POF4 CC8.1-POF5 CC8.1-POF7
COSO 2017 Principle 9
CSA CCM 4 CCC-02
CSA IoT SCF 2 CCM-08
Generally Accepted Privacy Principles (GAPP) 1.2.6
GovRAMP Low+ CM-03(02)
GovRAMP Moderate CM-03(02)
GovRAMP High CM-03(02)
ISO 27002 2022 8.19 8.32
ISO 27017 2015 14.2.3
MPA Content Security Program 5.1 TS-5.0
NIST 800-53 R4 CM-3(2) CM-5(2)
NIST 800-53 R4 (high) CM-3(2) CM-5(2)
NIST 800-53 R5 (source) CM-3(2) CM-3(7) SA-8(31)
NIST 800-53B R5 (moderate) (source) CM-3(2)
NIST 800-53B R5 (high) (source) CM-3(2)
NIST 800-53 R5 (NOC) (source) CM-3(7) SA-8(31)
NIST 800-82 R3 MODERATE OT Overlay CM-3(2)
NIST 800-82 R3 HIGH OT Overlay CM-3(2)
NIST 800-161 R1 CM-3(2)
NIST 800-161 R1 Level 2 CM-3(2)
NIST 800-161 R1 Level 3 CM-3(2)
NIST 800-171 R2 (source) NFO-CM-3(2)
NIST 800-171 R3 (source) 03.04.03.b 03.04.03.c 03.04.04.a 03.04.11.b
NIST 800-171A R3 (source) A.03.04.03.c[02]
NIST CSF 2.0 (source) ID.RA-07
PCI DSS 4.0.1 (source) 6.5 6.5.1 6.5.2 A3.2.2.1
PCI DSS 4.0.1 SAQ A-EP (source) 6.5.1 6.5.2
PCI DSS 4.0.1 SAQ C (source) 6.5.1 6.5.2
PCI DSS 4.0.1 SAQ D Merchant (source) 6.5.1 6.5.2
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.5.1 6.5.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CHG-02.2
SCF CORE ESP Level 1 Foundational CHG-02.2
SCF CORE ESP Level 2 Critical Infrastructure CHG-02.2
SCF CORE ESP Level 3 Advanced Threats CHG-02.2
US (11)
Framework Mapping Values
US C2M2 2.1 ASSET-4.B.MIL1 ASSET-4.C.MIL2 ASSET-4.D.MIL2 ASSET-4.E.MIL2 ASSET-4.F.MIL2 ASSET-4.G.MIL2 ASSET-4.H.MIL3 ASSET-4.I.MIL3
US CMS MARS-E 2.0 CM-3(2)
US FedRAMP R4 CM-3(2) CM-5(2)
US FedRAMP R4 (high) CM-3(2) CM-5(2)
US FedRAMP R5 (source) CM-3(2)
US FedRAMP R5 (moderate) (source) CM-3(2)
US FedRAMP R5 (high) (source) CM-3(2)
US IRS 1075 CM-3(2)
US NERC CIP 2024 (source) CIP-010-4 1.4.2 CIP-010-4 1.5.1 CIP-010-4 1.5.2
US - CA CCPA 2025 7123(c)(5)(D) 7123(c)(5)(E)
US - TX TX-RAMP Level 2 CM-3(2)
EMEA (8)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.4(37) 3.6.3(75) 3.6.3(76)
EMEA Germany C5 2020 DEV-06 DEV-08 DEV-09
EMEA Israel CDMO 1.0 10.6 12.21 12.30 14.6 14.8 14.9 14.10
EMEA Saudi Arabia CSCC-1 2019 1-3-1-2
EMEA Saudi Arabia IoT CGIoT-1 2024 1-5-3
EMEA Saudi Arabia ECC-1 2018 1-6-2-1 1-6-3-5
EMEA Saudi Arabia OTCC-1 2022 1-5-3-2
EMEA Saudi Arabia SACS-002 TPC-73
APAC (4)
Framework Mapping Values
APAC India SEBI CSCRF PR.MA.S1
APAC Japan ISMAP 14.2.3
APAC New Zealand NZISM 3.6 6.3.8.C.01
APAC Singapore MAS TRM 2021 7.4.2 7.5.3 7.5.5 7.5.7
Americas (3)
Framework Mapping Values
Americas Canada CSAG 6.11
Americas Canada OSFI B-13 2.5.1
Americas Canada ITSP-10-171 03.04.03.B 03.04.03.C 03.04.04.A 03.04.11.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.

Level 1 — Performed Informally

Change Management (CHG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Notify stakeholders about proposed changes.

  • IT personnel use an informal process to:
  • Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
  • Requests for Change (RFC) are submitted to IT personnel.
  • prior to changes being made, RFCs are informally reviewed for cybersecurity and data privacy ramifications.
  • Whenever possible, IT personnel test changes to business-critical systems/services/applications on a similarly configured IT environment as that of Production, prior to widespread production release of the change.
  • IT personnel use an informal process to verify the functionality of security controls when anomalies or misconfigurations are discovered.
Level 2 — Planned & Tracked

Change Management (CHG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Change management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for change management.
  • Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
  • A Change Advisory Board (CAB), or similar function, exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability.
  • A CAB, or similar function, reviews RFCs for cybersecurity and data privacy ramifications.
  • A CAB, or similar function, notifies stakeholders to ensure awareness of the impact of proposed changes.
  • Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
  • Cybersecurity controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.
  • Up on implementing the RFC, the technician implementing a change tests to ensure anti-malware, logging and other cybersecurity and data protection controls are still implemented and operating properly.
  • Results from testing changes are documented.
  • Up on completing the RFC, the CAB reports the results of cybersecurity and data privacy function verification to senior management.
Level 3 — Well Defined

Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data privacy ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.

  • An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
  • ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
  • Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
  • A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
  • The CM function has formally defined roles and associated responsibilities.
  • Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
  • A Change Advisory Board (CAB), or similar function:
  • IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.
  • Up on implementing the RFC, the technician implementing a change tests to ensure anti-malware, logging and other cybersecurity and data protection controls are still implemented and operating properly.
  • Results from testing changes are documented.
  • A structured set of controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.
  • Results from testing changes are documented.
  • CM leverages Information Technology Infrastructure Library (ITIL) Service Management practices to govern CM operations (includes SecDevOps considerations).
  • Up on completing the RFC, the CAB reports the results of cybersecurity and data privacy function verification to senior management.
  • Up on implementing the RFC, the technician implementing a change tests to ensure anti-malware, logging and other cybersecurity and data protection controls are still implemented and operating properly.
  • A vulnerability assessment is conducted on systems/applications/services to detect any new vulnerabilities that a change may have introduced.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.

Assessment Objectives

  1. CHG-02.2_A01 changes to the system are tested before finalizing the implementation of the changes.
  2. CHG-02.2_A02 changes to the system are validated before finalizing the implementation of the changes.
  3. CHG-02.2_A03 changes to the system are documented before finalizing the implementation of the changes.
  4. CHG-02.2_A04 the frequency at which changes are to be reviewed is defined.
  5. CHG-02.2_A05 the circumstances under which changes are to be reviewed are defined.
  6. CHG-02.2_A06 changes to the system are reviewed organization-defined frequency or when organization-defined circumstances to determine whether unauthorized changes have occurred.
  7. CHG-02.2_A07 systems or system components that implement the security design principle of secure system modification are defined.
  8. CHG-02.2_A08 systems or system components implement the security design principle of secure system modification.
  9. CHG-02.2_A09 approved configuration-controlled changes to the system are documented.

Evidence Requirements

E-CHG-03 Change Control Board (CCB) Minutes

Documented evidence of Change Control Board (CCB) meeting minutes

Change Management
E-CHG-05 Change Control Records

Documented evidence of change control records.

Change Management

Technology Recommendations

Micro/Small

  • Change Control Board (CCB)
  • Configuration Management Database (CMDB)
  • VisibleOps (https://itpi.org)

Small

  • Change Control Board (CCB)
  • Configuration Management Database (CMDB)
  • VisibleOps (https://itpi.org)

Medium

  • Change Control Board (CCB)
  • Configuration Management Database (CMDB)
  • VisibleOps (https://itpi.org)

Large

  • Change Control Board (CCB)
  • Configuration Management Database (CMDB)
  • VisibleOps (https://itpi.org)

Enterprise

  • Change Control Board (CCB)
  • Configuration Management Database (CMDB)
  • VisibleOps (https://itpi.org)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free