Change Management
Description
Changes to information processing facilities and information systems shall be subject to change management procedures.
⚠️ Risk Impact
Unauthorised or poorly-tested changes are the second-most-common cause of production incidents (after vulnerabilities). Change management is the discipline that distinguishes mature engineering organisations from chaotic ones.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
PR-based changes with required reviewers for production. IaC for all infrastructure changes — no manual console mutations. Document change request, testing, approval in tickets.
💀 Real-World Attack Scenario
A senior engineer 'just toggled a setting' on a production load balancer — accidentally disabled TLS enforcement for 14 hours. Customer auth tokens captured by passive network observer. Change was undocumented; on-call had no way to know it had happened until customer reports surfaced.
💰 Cost of Non-Compliance
Change-management failures as breach contributor: 27% of 2024 cloud breaches (Mandiant M-Trends).
📋 Audit Questions
- 1.Change workflow?
- 2.% of changes through documented review?
- 3.Example of rejected change?
- 4.Emergency change handling?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Console-driven changes bypassing IaC
- ⛔Emergency change paths used routinely
- ⛔Change approval pro forma — reviewer rubber-stamps
📈 Business Value
Disciplined change management converts every change into auditable, reviewable artefact.
⏱️ Effort Estimate
8-12 hours quarterly workflow refinement
EchelonGraph detects out-of-band changes; reconciles against approved tickets
🔗 Cross-Framework References
Automate ISO 27001 A.8.32 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →