Content library
CyberFundamentals (Belgium)
PR.IP-3: Configuration change control processes are in place.

How to fill the requirement

CyberFundamentals (Belgium)

PR.IP-3: Configuration change control processes are in place.

Task name
Priority
Status
Theme
Policy
Other requirements
Definition of done and testing principles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
requirements

Task is fulfilling also these other security requirements

14.2.9: System acceptance testing
ISO27 Full
14.2.3: Technical review of applications after operating platform changes
ISO27 Full
8.29: Security testing in development and acceptance
ISO27k1 Full
CC8.1: Change management procedures
SOC 2
PR.IP-2: A System Development Life Cycle to manage systems is implemented.
CyFun
1. Task description

The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.

New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.

Configuration management and change log
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
requirements

Task is fulfilling also these other security requirements

8.9: Configuration management
ISO27k1 Full
CC7.1: Procedures for monitoring changes to configurations
SOC 2
1.2.4: Definition of responsibilities with service providers
TISAX
PR.IP-3: Configuration change control processes are in place.
CyFun
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
CyFun
1. Task description

Current configurations of devices, data systems and networks are documented and a log is maintained of configuration changes.

Changes to configurations must be controlled and go through the change management procedure. Only authorized personnel are allowed to make changes to the configurations.

Configuration information may include e.g.:

  • property owner and contact point information
  • date of last configuration change
  • configuration model version
  • connections to other assets
Evaluation process and documentation of significant security-related changes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
requirements

Task is fulfilling also these other security requirements

6.3: Planning of changes
ISO27k1 Full
8.1: Operational planning and control
ISO27k1 Full
12.1.2: Change management
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
PR.IP-3: Configuration change control processes
NIST
1. Task description

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

No items found.