6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following:
6.4.5.a Examine documented change control procedures related to implementing security patches and software modifications and verify procedures are defined for:
• Documentation of impact
• Documented change approval by authorized parties
• Functionality testing to verify that the change does not adversely impact the security of the system
• Back-out procedures
6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes/security patches. Trace those changes back to related change control documentation. For each change examined, perform the following: (See 6.5.4.#)
If not properly managed, the impact of software updates and security patches might not be fully realized and could have unintended consequences.