You govern the tools, techniques, and people doing system maintenance.
What it actually means
Maintenance is a back door into your systems. Control who does it, what tools they use, and how — approved maintenance tools, vetted personnel, and oversight of third parties (an MSP counts). It keeps a 'quick fix' from becoming an uncontrolled entry point.
Pass or fail — an assessor needs a "yes" to each
- Maintenance personnel are authorized and overseen (incl. third parties/MSP).
- Maintenance tools are approved and controlled.
- Maintenance activities are governed by procedure.
What to have ready
- Maintenance policy + approved-tools list
- Vendor/MSP agreements and oversight
- Records of maintenance activity
Where teams trip up
- Unvetted contractors with broad access
- Unknown tools brought in for maintenance
- No oversight of MSP maintenance
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →