6.4.5 Change control procedures must include the following:

6.4.5 Change control procedures must include the following:

6.4.5.a Examine documented change control procedures and verify procedures are defined for:
• Documentation of impact
• Documented change approval by authorized parties
• Functionality testing to verify that the change does not adversely impact the security of the system
• Back-out procedures
6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes. Trace those changes back to related change control documentation. For each change examined, perform the following:

If not properly managed, the impact of system changes—such as hardware or software updates and installation of security patches—might not be fully realized and could have unintended consequences.