change-management Controls

Changes and exceptions are managed, assessed for risk impact, and tracked

Significant changes are assessed for security impact

Changes to infrastructure and software are authorized and managed