Configuration / Change Management Review

Virtual CISO Services ISO 27001

Configuration / Change Management Review Information

Effectively managing the never-ending changes necessitated by changing business conditions is a challenge for virtually every organization. Managing the configuration means providing reasonable assurance that the potentially significant risk resulting from these changes is fully managed as well. Configuration/change management reviews are intended to provide management with assurance that critical change management processes are in place and operating as intended.

Key activities include:

  • Obtaining an understanding of the control processes including; process flow, roles and responsibilities, asset tracking and tools, control and logging of changes, communication requirements, and metrics leveraged;
  • Reviewing the design of the central repository against critical objectives including compliance with relevant laws/regulations;
  • Collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and validating the configuration repository; and,
  • Validating that change management and incident management procedures are appropriately integrated; and,
  • Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by a Security Code Review are:

Provides assurance that the organization effectively controls change to the enterprise IT systems, resources and networks whilst maintaining or improving system availability.

Configuration / Change Management Review: Best Used

Dependent upon client objectives and request for attestation we may employ various Network Penetration Testing

  • As a means to perform root cause analysis for vulnerabilities that may have been introduce by poor change management processes; and,
  • Where business and security requirements change frequently resulting in a higher risk relating to the change management process.