Only authorized people can change systems — enforced physically and logically.
What it actually means
The ability to change systems is itself a privilege that must be restricted and enforced — both logically (who has the rights to push a change) and physically (who can get to the equipment). It ties change control to least privilege.
Pass or fail — an assessor needs a "yes" to each
- Change/config rights are limited to authorized personnel.
- Both logical and physical access to make changes is restricted.
- Restrictions are documented and enforced.
What to have ready
- Role assignments for change/config tooling
- Physical access controls to systems
- Documented restriction policy
Where teams trip up
- Anyone with admin can change anything
- No physical access control to on-prem gear
- Change rights not separated from general use
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →