cc3-4 Medium priority Security / Risk Assessment

Significant changes are assessed for security impact

Major changes to the organization, technology, or environment can invalidate existing controls or introduce new risks. Acquisitions, new product lines, significant infrastructure changes, key staff departures, and new regulatory requirements all have security implications. This control requires a process to identify significant changes, assess their risk impact, and update controls accordingly — rather than discovering the gap during an audit or an incident.

4h estimated effort

change-management risk impact-assessment

Complete first: cc3-2

Implementation steps

1

Define what constitutes a significant change

Document the types of changes that trigger a security impact assessment. Common examples: launching a new product or entering a new market, migrating to a new cloud provider or major infrastructure change, acquiring or being acquired, significant headcount changes (especially in IT or security), new regulatory requirements affecting your industry, major new customer or data type.

confluence notion
2

Build security review into change processes

Add a security impact assessment step to your change management process for significant changes. The assessment should answer: Does this change introduce new risks? Does it require new controls? Does it invalidate existing controls? Who is the security owner for this change?

jira linear confluence servicenow
3

Update the risk register after significant changes

When a significant change occurs, update the risk register to reflect any new or modified risks. This ensures your risk posture documentation stays current and demonstrates that the change assessment process actually resulted in action.

google-sheets notion confluence