Domain 1 of 5 · Chapter 4 of 4

Change Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Change management as a security control
  • Technical implications, documentation, and version control
  • Exam-pattern recognition: spotting the change-management answer

Change-management element → security purpose

ElementSecurity purposeRisk if skipped
Approval process & ownershipForces review and assigns accountability before a change touches productionUnauthorized or unreviewed changes; no one answerable for the outcome
Impact analysisSurfaces security exposure and affected systems in advanceUndetected blast radius; a change opens an unseen attack path
Test resultsProves the change behaves as intended outside productionUntested change breaks a control or service on first contact
Backout planRestores the prior known-good state on failureNo recovery path; an outage or misconfiguration persists
Maintenance windowConfines downtime and restarts to lowest-impact timeDisruption hits peak usage; dependent services fail unexpectedly
Allow/deny list updateControls what software or traffic is permittedDrift between intended and actual policy; shadow access
Updated diagrams, policies & proceduresKeeps the documented state aligned with reality for responders and auditorsResponders troubleshoot a stale picture; audit findings
Version controlImmutable, attributable history of every changeNo audit trail; cannot prove who changed what or revert cleanly

Decision tree

Active incident forcing action before approval? Yes Emergency change Act now; document + retroactive board review No Pre-approved, low-risk, repeatable change? Yes Standard change Run the SOP / pre-approved path; still logged No Impact analysis, tests, and backout plan ready? No Block until complete Missing gate = the risk; no rollback, no go Yes Normal change approved Board sign-off, named owner, stakeholders notified Implement in maintenance window; update diagrams, policies & version control Always: log the change and keep an attributable, revertible audit trail

Cheat sheet

  • Unmanaged change is itself the vulnerability
  • Baseline changes only through change control
  • Approval gates the change before work begins
  • Ownership assigns end-to-end accountability
  • Stakeholders are identified and consulted first
  • Impact analysis runs before approval, judging security not downtime
  • Test results prove the change works before production
  • Backout plan restores the prior known-good state
  • Maintenance window confines disruptive work
  • SOP covers pre-approved standard changes
  • Allow lists default-deny; deny lists default-allow
  • Restricted activities bound the change to its approved scope
  • Service restart vs application restart
  • Downtime drives the need for a maintenance window
  • Dependencies make a single change cascade
  • Legacy apps force compensating controls
  • Update diagrams to match the post-change topology
  • Update policies and procedures after a control change
  • Version control is the evidence and rollback layer
  • Emergency change bypasses timing, not accountability
  • Undocumented changes evade monitoring

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (V7) Certification
  2. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (Abstract) Whitepaper
  3. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (Full Text) Whitepaper