PDP-7 Change Management Workflow

What is this control about?

Policies, procedures and documentation are an integral part of a good security program. A change management workflow provides the step-by-step procedures required in the creation, development and implementation of a change.

As an organization, you must define the different types of changes (application, infrastructure, etc.) that could happen in your environment and define the procedure to occur to take that change through deployment. There is no right or wrong here to the format, as each organization is unique.

The workflow must include a representation of the key tasks. Usually, the following key tasks are required:

• Planning
• Design
• Development
• Testing
• Approval
• Implementation/Deployment

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• TrustCloud Policy
• Change Management Workflow template example

Control implementation

Document a change Management policy and workflow that includes the following components:

1. The changes types in your organization (i.e infrastructure change, application changes, etc..)
2. The process to identify and prioritize changes
3. The changes tracking process
4. The changes development process
5. The changes testing process
6. The changes approvals process
7. The changes deployment process

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide your change management policy/workflow

Evidence example

From the suggested action above, an example is provided below.

1. Provide your change management policy/workflow.

TrustCloud example demonstrates the development lifecycle procedures available in TrustCloud intranet share site