IT Compliance of Change Management

IT and SAP Change Management: IT Compliance through “Auditor’s Glasses” – Part 1

With the start of a new year, plenty of IT compliance changes are coming up again. These could also affect your IT/SAP change management. The high relevance for audits and, for example, the often tricky IT system audit, means that IT and SAP managers are now responsible for implementing this quickly. And this with an increasing number of standards to consider in general and depending on the industry.

Articles about IT Compliance from SAP and IT Change Management

As an independent (IT) auditor (among others), I provide you with an overview of the topic of IT compliance, especially with regard to change management:

In this first article, I will first introduce you to the key players and their most important IT compliance standards. Each of these standards either directly affects or at least relates to the topic of change management.
In the second part, I will then take a closer look at the processes of change management, i.e. the changes themselves, and analyze them in the context of ITIL (representing ITSM issues) and COBIT (governance of information and technology).
Lastly, I will then have a look at the topic of IT compliance through the “auditor’s glasses”: Besides change management, what are the core IT processes from the compliance auditor’s point of view? And how can organizations ensure audit-proof change documentation?
But first:

Good asset management is one of the central tasks of the IT department today. This is completely understandable – because you benefit from the well thought-out introduction of a precisely tailored lifecycle management system for a number of good reasons:

Key players and standard setters for IT compliance

Is there a standard setter that sets the standards worldwide? No. Instead, an international network of players has developed whose standards often reference each other and have a significant influence right down to the national level. In addition, there are industry-specific standard setters – also at international, European and national level.

Who are the IT compliance standard setters in Germany?

From and for Germany are to be mentioned directly:

  • Bundesministerium des Innern, für Bau und Heimat; „Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz“ (BSI-Kritisverordnung / BSI-KritisV)
  • Bundesamt für Sicherheit in der Informationstechnik (BSI); „IT-Sicherheitsgesetz“ (ITSiG), „Kriterienkatalog Cloud Computing C5“
  • Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI); „Bundesdatenschutzgesetz“ (BDSG)
  • Bundesministerium der Finanzen; BMF-Schreiben „Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff“ (GoBD)
  • Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin); Rundschreiben „Mindestanforderungen an das Risikomanagement“ (MaRisk) und „Bankaufsichtliche Anforderungen an die IT“ (BAIT)
  • Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder / Gremium der deutschen Datenaufsichtsbehörden; „Kurzpapiere der Datenschutzkonferenz (DSK)“
  • Bundesnetzagentur; Standards: „Energiewirtschaftsgesetz“ (EnWG), „Erneuerbare-Energien-Gesetz“ (EEG)
  • Institut der Wirtschaftsprüfer (IDW); e.g. with the standards IDW RS FAIT 1, IDW RS FAIT 5 and IDW PH 9.860.1-4

The following European and international institutions and standards are also relevant for Germany:

  • International Organization for Standardization (ISO); standards: ISO 27k series (e.g. ISO/IEC 27001), ISO 22301
  • National Institute of Standards and Technology (NIST, USA); Standards: SP 800-210, SP 800-63-3
  • ENISA (European Network and Information Security Agency / European Union Agency for Cybersecurity); enisa Guidelines
  • European Banking Authority (EBA); EBA Guidelines
  • European Data Protection Board (EDPB); EU-Datenschutz-Grundverordnung (DS-GVO)
  • American Institute of Certified Public Accountants (AICPA); e.g. SSAE 18
    and International Federation of Accountants (IFAC); e.g. ISAE 3402 – both standards relevant for the outsourcing of services with relevance to accounting

IT compliance requirements for IT and SAP change management

The following requirements, for example, are specifically regulated for IT and SAP change management by the aforementioned IT compliance standards:

  • ISO/IEC 27001: A.14 Acquire, develop, and maintain systems; A.14.1.1 Analyze and specify information security requirements; A.14.1.2 Secure application services on public networks; A.14.1.3 Protect application service transactions; A.14.2.1 Policy for secure development A.14.2.2 Procedures for managing system changes; A.14 .2.3 Technical review of applications after changes to the operating platform; A.14.2.4 Restriction of changes to software packages; A.14.2.5 Principles for analyzing, developing, and maintaining secure systems; A.14.2.6 Secure development environment; A.14.2.7 Outsourced development; A.14.2.8 System security testing; A.14.2.9 System acceptance testing; A.14.3.1 Protection of test data.
  • “Criteria Catalog Cloud Computing C5” and BSI Criteria Regulation: OPS.1.1.3 Patch and Change Management; DEV-01 Information systems development/procurement policies; DEV-02 Development outsourcing; DEV-03 Information systems change policies; DEV-04 Security education and awareness program regarding continuous software delivery and associated systems, components, or tools; DEV-05 Risk assessment, categorization, and prioritization of changes; DEV-06 Testing of changes; DEV-07 Logging of changes; DEV-08 Version control; DEV-09 Releases for deployment to production environment; DEV-10 Separation of environments.
  • EBA Guidelines: 3.6.3. ICT change management (75-76)
  • BAIT: 6. IT projects, application development (incl. by end users in business units) (31-44)

In the second article of this series, I will explain the importance of ITIL and COBIT for IT compliance in change management.

Author IT Compliance of Change Management

Information about me and Falk IT Audit & Consulting can be found at and

The auditor is coming tomorrow


Did you miss our interactive expert panel on IT compliance? Together with Prof. Dr. Jonas Tritschler (Falk IT Audit & Consulting) and Michael Heyn (SERVIEW) we discussed:

  • Why requirements and complexity will increase in the future.
  • Why IT compliance is such an unwelcome topic for many organizations.
  • And how to set up your IT organization so that the next audit is done at the push of a button.

Watch recording for free now! [in German]


Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Do you want to learn more?
Experience the integration live.