You analyze the security impact of a change before implementing it.
What it actually means
Before a change goes in, someone considers what it does to security — could it open a port, weaken a setting, expand scope? It's a step inside your change process, not a separate system.
Pass or fail — an assessor needs a "yes" to each
- Security impact is assessed as part of change approval.
- The assessment is documented for significant changes.
What to have ready
- Change records showing an impact/security review step
- Change policy requiring it
Where teams trip up
- Approving changes without considering security effects
- No documentation that impact was considered
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →