Changes to systems are tracked, reviewed, approved, and logged.
What it actually means
A basic change-management process: proposed changes are tracked, reviewed, approved (or rejected), and the decision is logged. It keeps ad-hoc changes from quietly breaking your security posture.
Pass or fail — an assessor needs a "yes" to each
- Changes are tracked and approved before implementation.
- Approval/disapproval is logged.
- A defined process exists (even a lightweight ticket/log).
What to have ready
- Change-management policy
- Change tickets/records with approvals
Where teams trip up
- Changes made directly with no record
- No approval step for production changes
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →