Change management is one of the most fundamental controls in IT audit. Changes to systems, applications, infrastructure and configurations are a significant source of incidents when they are not carried out in a structured way. An effective change management process ensures that changes take place in a controlled, authorised and documented manner.
Change management plays a central role in virtually every audit framework. SOC 2 assesses change management under the Common Criteria CC8.1. ISO 27001 addresses it in several Annex A controls. ITIL describes change management as a core process. For the auditor, it is one of the first areas to be tested.
The change management process begins with a request for change. The auditor checks whether changes are requested, described and assessed before they are implemented. This includes a risk assessment: what is the impact of the change and what are the risks if it goes wrong? Critical changes require approval by a change advisory board or a comparable body.
Segregation of duties is an essential component. The auditor checks whether the person who develops a change is not the same person who approves it or deploys it to production. This segregation of duties prevents unauthorised or untested changes from ending up in production.
Testing prior to implementation is another key point. The auditor assesses whether changes are tested in an environment comparable to production, whether test results are documented, and whether acceptance criteria have been defined that the test must meet.
The implementation itself is also tested. Is there an implementation plan? Is there a rollback plan in case the change fails? Is the change carried out during a maintenance window to minimise impact on users? Is the change verified after implementation?
Emergency changes are a particular area of focus. In urgent situations, the regular process cannot always be followed. The auditor checks whether there is a separate process for emergency changes, whether these are nonetheless documented and approved afterwards, and whether the use of emergency changes does not structurally become a workaround for the regular process.
Secure Audit assesses change management processes as a standard part of IT audits. Contact us for an assessment of your change management.
About the author
Partner | IT Auditor