IT Compliance of Change Management

As an independent (IT) auditor (among others), I provide you with an overview of the topic of IT compliance, especially with regard to change management:

In this first article, I will first introduce you to the key players and their most important IT compliance standards. Each of these standards either directly affects or at least relates to the topic of change management.
In the second part, I will then take a closer look at the processes of change management, i.e. the changes themselves, and analyze them in the context of ITIL (representing ITSM issues) and COBIT (governance of information and technology).
Lastly, I will then have a look at the topic of IT compliance through the “auditor’s glasses”: Besides change management, what are the core IT processes from the compliance auditor’s point of view? And how can organizations ensure audit-proof change documentation?
But first:

Good asset management is one of the central tasks of the IT department today. This is completely understandable – because you benefit from the well thought-out introduction of a precisely tailored lifecycle management system for a number of good reasons:

Is there a standard setter that sets the standards worldwide? No. Instead, an international network of players has developed whose standards often reference each other and have a significant influence right down to the national level. In addition, there are industry-specific standard setters – also at international, European and national level.

From and for Germany are to be mentioned directly:

• Bundesministerium des Innern, für Bau und Heimat; „Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz“ (BSI-Kritisverordnung / BSI-KritisV)
• Bundesamt für Sicherheit in der Informationstechnik (BSI); „IT-Sicherheitsgesetz“ (ITSiG), „Kriterienkatalog Cloud Computing C5“
• Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI); „Bundesdatenschutzgesetz“ (BDSG)
• Bundesministerium der Finanzen; BMF-Schreiben „Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff“ (GoBD)
• Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin); Rundschreiben „Mindestanforderungen an das Risikomanagement“ (MaRisk) und „Bankaufsichtliche Anforderungen an die IT“ (BAIT)
• Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder / Gremium der deutschen Datenaufsichtsbehörden; „Kurzpapiere der Datenschutzkonferenz (DSK)“
• Bundesnetzagentur; Standards: „Energiewirtschaftsgesetz“ (EnWG), „Erneuerbare-Energien-Gesetz“ (EEG)
• Institut der Wirtschaftsprüfer (IDW); e.g. with the standards IDW RS FAIT 1, IDW RS FAIT 5 and IDW PH 9.860.1-4

The following European and international institutions and standards are also relevant for Germany:

• International Organization for Standardization (ISO); standards: ISO 27k series (e.g. ISO/IEC 27001), ISO 22301
• National Institute of Standards and Technology (NIST, USA); Standards: SP 800-210, SP 800-63-3
• ENISA (European Network and Information Security Agency / European Union Agency for Cybersecurity); enisa Guidelines
• European Banking Authority (EBA); EBA Guidelines
• European Data Protection Board (EDPB); EU-Datenschutz-Grundverordnung (DS-GVO)
• American Institute of Certified Public Accountants (AICPA); e.g. SSAE 18
  and International Federation of Accountants (IFAC); e.g. ISAE 3402 – both standards relevant for the outsourcing of services with relevance to accounting

The following requirements, for example, are specifically regulated for IT and SAP change management by the aforementioned IT compliance standards:

• ISO/IEC 27001: A.14 Acquire, develop, and maintain systems; A.14.1.1 Analyze and specify information security requirements; A.14.1.2 Secure application services on public networks; A.14.1.3 Protect application service transactions; A.14.2.1 Policy for secure development A.14.2.2 Procedures for managing system changes; A.14 .2.3 Technical review of applications after changes to the operating platform; A.14.2.4 Restriction of changes to software packages; A.14.2.5 Principles for analyzing, developing, and maintaining secure systems; A.14.2.6 Secure development environment; A.14.2.7 Outsourced development; A.14.2.8 System security testing; A.14.2.9 System acceptance testing; A.14.3.1 Protection of test data.
• “Criteria Catalog Cloud Computing C5” and BSI Criteria Regulation: OPS.1.1.3 Patch and Change Management; DEV-01 Information systems development/procurement policies; DEV-02 Development outsourcing; DEV-03 Information systems change policies; DEV-04 Security education and awareness program regarding continuous software delivery and associated systems, components, or tools; DEV-05 Risk assessment, categorization, and prioritization of changes; DEV-06 Testing of changes; DEV-07 Logging of changes; DEV-08 Version control; DEV-09 Releases for deployment to production environment; DEV-10 Separation of environments.
• EBA Guidelines: 3.6.3. ICT change management (75-76)
• BAIT: 6. IT projects, application development (incl. by end users in business units) (31-44)

In the second article of this series, I will explain the importance of ITIL and COBIT for IT compliance in change management.

Information about me and Falk IT Audit & Consulting can be found at https://audit.falk-co.de/en/company and https://audit.falk-co.de/en.