id-ra-7 medium Identify / Risk Assessment

Changes and exceptions are managed, assessed for risk impact, and tracked

Every change to your environment, whether a new service, a configuration update, or a policy exception, carries risk. Organizations that manage changes ad hoc accumulate unknown risks: the exception that was granted for three months two years ago and never expired, the quick config change that opened an unexpected port. A change and exception management process surfaces these risks before they become incidents.

Estimated effort: 3h

change-managementexceptionsrisk-managementgovernance

Complete first: id-ra-6

Implementation steps

1

Define a change management process with a security review gate

For significant changes (new third-party integrations, changes to network configuration, major software deployments, cloud architecture changes), require a security review before implementation. Define what counts as a significant change so the process is not so broad that it becomes a bottleneck, and not so narrow that it misses real risks.

jiraservicenowlinear
2

Create a formal exception process with time limits

When a control cannot be fully met due to operational constraints, require a formal exception request: what control is being bypassed, why, what compensating controls are in place, and how long the exception is needed. Set a maximum exception duration (typically 90 days) after which the exception must be re-approved or the gap must be remediated. Track all open exceptions.

jiraservicenowgoogle-sheets
3

Review open exceptions and unapproved changes on a regular cycle

At least monthly, review the list of open exceptions to identify those approaching expiry or where circumstances have changed. Review recent changes for any that bypassed the change process. Close expired exceptions or escalate them for re-approval. This prevents exception debt from accumulating silently.

jiraservicenowgoogle-sheets

Evidence required

Change management records with security review

Evidence that significant changes went through a security review before implementation.

· Change request tickets with security review approval field
· Change advisory board meeting notes showing security assessment
· Pull request or deployment approval records showing security sign-off

Exception log with expiration dates

A current register of all open policy or control exceptions with documented rationale, compensating controls, approver, and expiration date.

· Exception register spreadsheet with open and closed exceptions
· GRC platform exception management records
· Signed exception approval forms with expiration dates

Related controls

gv-ov-2 high

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Oversight

gv-rm-1 critical

Risk management objectives are established and agreed to by organizational stakeholders

Risk Management Strategy

gv-rm-2 critical

Risk appetite and risk tolerance statements are established, communicated, and maintained

Risk Management Strategy

gv-rm-3 high

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Risk Management Strategy