CM-17 Change Management
Requirements & Design Approval
Systems are built to approved requirements.
- Domain
- Change Management
- Control type
- Preventive
- Automated / manual
- Manual
- Frequency
- Per project
- Framework reference
- COBIT BAI02
What good looks like
Requirements documented and approved; designs (incl. controls/security) reviewed.
Risk if it fails
Systems that fail to meet needs/controls.
How Tess tests it
3 tests — each concludes only on cited evidence.
Requirements & design-review process defined
Design- Procedure
- Inspect the process.
- Expected
- Defined.
- Sample
- 1 (design inspection)
- Evidence
- Requirements documents, design-review approvals.
Requirements documented & signed off
Operating- Procedure
- Sample a project.
- Expected
- Requirements approved.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Requirements documents, design-review approvals.
Design (incl. controls/security) reviewed
Operating- Procedure
- Inspect the design review.
- Expected
- Reviewed and approved.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Requirements documents, design-review approvals.
Evidence Tess looks for
Requirements documents, design-review approvals.
More in Change Management
Want Tess to test CM-17 against your evidence?
Book a demo