CM-02 Change Management

Change Request & Documentation

Every change is recorded for traceability.

Domain: Change Management
Control type: Preventive/Detective
Automated / manual: Manual
Frequency: Per event
Framework reference: COBIT BAI06

What good looks like

Changes are logged via a request capturing description, rationale, impact and rollback.

Risk if it fails

Untracked changes; no audit trail.

How Tess tests it

3 tests — each concludes only on cited evidence.

Tool/template captures required fields

Design

Procedure: Inspect the change template.
Expected: Description/rationale/impact/rollback fields present.
Sample: 1 (design inspection)
Evidence: Change tickets/records.

Changes logged before implementation

Operating

Procedure: Sample changes.
Expected: Ticket predates the change.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Change tickets/records.

Documentation complete on sampled changes

Operating

Procedure: Inspect sampled tickets.
Expected: All required fields populated.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Change tickets/records.

Evidence Tess looks for

Change tickets/records.

More in Change Management

CM-01 Change Management Policy CM-03 Change Authorisation CM-04 Testing / UAT Before Production CM-05 Environment Segregation

Want Tess to test CM-02 against your evidence?