CM-01 Change Management

Change Management Policy

Changes are governed by a documented, current standard.

Domain: Change Management
Control type: Preventive
Automated / manual: Manual
Frequency: Annual review
Framework reference: COBIT BAI06

What good looks like

A CM policy defines change types, approval gates, testing and segregation expectations.

Risk if it fails

Inconsistent/uncontrolled changes.

How Tess tests it

3 tests — each concludes only on cited evidence.

CM policy approved and current

Design

Procedure: Inspect the policy.
Expected: Approved and reviewed within cycle.
Sample: 1 (design inspection)
Evidence: Change-management policy and approval record.

Policy defines types, gates, testing, SoD

Design

Procedure: Inspect the policy content.
Expected: Comprehensive coverage.
Sample: 1 (design inspection)
Evidence: Change-management policy and approval record.

Policy communicated to staff

Operating

Procedure: Inspect distribution/acknowledgement.
Expected: Communicated to relevant staff.
Sample: 1
Evidence: Change-management policy and approval record.

Evidence Tess looks for

Change-management policy and approval record.

More in Change Management

CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production CM-05 Environment Segregation

Want Tess to test CM-01 against your evidence?