Domain 7 of 8 · Chapter 9 of 15

Change Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What change management is, and why it exists
  • The change-control workflow, step by step
  • The Change/Configuration Control Board and emergency changes
  • Exam-pattern recognition

Change management vs. its neighbours

Question is aboutDisciplineCore artifactOwner of the decision
Approving a modification (request, impact analysis, board)Change managementChange request + approval recordChange/Configuration Control Board
Whether the system still matches its approved baselineConfiguration managementBaseline + component inventorySystem owner / CM process
Code review, version control, build/releaseSoftware development securitySource repo + release pipelineDev team / release manager
Triaging and containing a live attackIncident managementIncident response planCSIRT / incident handler

Cheat sheet

  • Change management is the approval process; configuration management is the technical state
  • Run every change through request → impact analysis → approval → test → implement → document → review
  • Run a security-impact analysis before approving any change
  • Never approve a change without a documented back-out (rollback) plan
  • The Change/Configuration Control Board owns the approval decision
  • The approver must be independent of the requester (separation of duties)
  • The CCB is cross-functional, and some members advise without voting
  • Preapprove low-risk routine changes as standard changes against documented criteria
  • Emergency changes are expedited, then governed retroactively, never skipped
  • Test approved changes before they reach the operational environment
  • Do the post-implementation review to confirm the change landed as approved
  • Unmanaged, ad-hoc change is a leading cause of outages and breaches
  • Configuration change control maps to NIST controls CM-3, CM-4, and CM-5
  • An ECAB authorizes genuinely urgent changes fast; objective criteria keep the emergency path from becoming a convenience channel

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems Whitepaper