← Controls / CM

CM-04 Monitoring Configuration Changes

Configuration Management

Low Moderate High Privacy

Description

The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes.

Supplemental Guidance

Prior to change implementation, and as part of the change approval process, the organization analyzes changes to the information system for potential security impacts. After the information system is changed (including upgrades and modifications), the organization checks the security features to verify that the features are still functioning properly. The organization audits activities associated with configuration changes to the information system. Monitoring configuration changes and conducting security impact analyses are important elements with regard to the ongoing assessment of security controls in the information system. Related security control: CA-07.

Changes from Rev 4

Title changed from 'Security Impact Analysis' Control text adds 'privacy'

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

6.3A.5.36A.8.31A.8.32A.8.9

ISO 27002:2022

5.378.318.328.9

COBIT 2019

APO11BAI05BAI06BAI07BAI10

CIS Controls v8

CIS 16.8

NIST CSF 2.0

ID.RA-07

SOC 2 TSC

CC3.4

PCI DSS v4.0.1

6.5

CSA CCM v4

CCC-02DSP-15IVS-05

CSA AICM v1

CCC-02DSP-15I&S-05

FINOS CCC

CCC-C07

ISO 42001:2023

A.6.2.6

PRA Operational Resilience

SS1/21-11.1

BSI IT-Grundschutz

OPS.1.1.3OPS.1.1.6

ANSSI

Hygiene.34SecNumCloud.13.2

FINMA Circular 2023/1

IV.A(36)IV.A(37)IV.A(38)IV.C(66)

OSFI B-13

B-13.2.3B-13.3.3

EU GDPR

Art.32(1)(d)Art.35(1)

EU DORA

Art.25(1)Art.9(4)(e)

BIO2

5.378.318.328.9

RBI CSF

Annex1.7ITGRCA.13

FISC Security Guidelines

FISC.O3

HKMA TM-E-1

TME1.3.2TME1.3.3TME1.4.1TME1.4.3

MLPS 2.0

8.1.10.88.1.9.4

DNB Good Practice

DNB.10.1DNB.10.2DNB.10.3DNB.10.4

EU CRA

CRA.II.2CRA.Info.8b

SAMA CSF

3.23.5

NCA ECC

2-3

UAE IA

T10T7

CBB TM

TM-11TM-5TM-7

Qatar NIA

OSSD

CBE CSF

CTO-12CTO-9

SA JS2

JS2-8.5

BoM CTRM

3.6

IOSCO Cyber Resilience

PROT-6TEST-3

BCBS 239

Principle 6

FFIEC IS

II.A.2II.C.10II.C.17

NYDFS 500

500.5500.8

ECB CROE

CROE.2.3.4

EBA ICT Guidelines

3.4.63.5(b)3.6.3

SEBI CSCRF

PR.IP

BOT Cyber Resilience

Ch10.1

CMMC 2.0

CM

NERC CIP

CIP-010-4

10 CFR 73.54

RG5.71-B-CM

TSA Pipeline SD

SD-2 Sec D

API 1164

Sec 7

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.11EIOPA-ICT-4.8

Lloyd's Minimum Standards

MS8.4

NAIC Insurance Data Security

4-config4E

PRA SS1/23

P3.3P3.4

FCA SYSC 13

SYSC 13.7.4SYSC 13.8.4

HITRUST CSF v11

09.a10.d

FDA 21 CFR Part 11

ยง11.10(a)

FDA Cybersecurity Guidance

PU-1

ISO 27799

12.514.2

NHS DSPT

NDG-8.2

Basel SCO60

SCO60.52

BSSC Standards

NOS-10

ISO 17799 (legacy)

10.1.2

COBIT 4.1 (legacy)

DS5.5DS9.3