8 - Change management and agility

Change management and agility is important to control the PKI implementation and configuration changes, adjustments, modifications, and improvements. Technologies are changing fast and the PKI needs to be able to adapt to the changes. The same applies for security vulnerabilities, deprecation of algorithms, and other changes that can significantly affect the PKI.

The change management should provide a robust and reliable process to ensure that every change is properly assessed, approved, and implemented. The process should be aligned with the organizational change management process and should be followed by all stakeholders.

Agility means that the PKI is able to adapt to the changes quickly and efficiently. Agility is applied to technologies, processes, algorithms, and other parts of the PKI implementation. Efficient adaptation to the changes makes the PKI more reliable and trustworthy, reducing operational risks.

Category maturity levels description

Maturity levelDescription
1 - InitialChange management is not defined and agility is not considered and applied.
2 - BasicChange management does not have documented and followed structure and is often ad-hoc. Agility is not formally cosnidered, however, it is applied in some cases.
3 - AdvancedProcesses for change management and agility are defined and designed to support the PKI implementation. The procedures and not always followed.
4 - ManagedChange management is integrated with the organizational change management process. Requirements for the agility are identified and implemented. Procedures are followed and monitored.
5 - OptimizedApproved change management policy and agility processes are followed and monitored. It is continuously improved and adapted to the changes.

Requirements

#RequirementWeight
1The policy for change management and agility is documented4
2Request for change structure is documented and followed3
3The change management process is documented and implemented4
4Requirements for agility are identified2
5Change management and agility is periodically reviewed2

Details

The policy for change management and agility is documented

Guidance

The policy for change management and agility should be documented and approved by the management. The policy contains principles and boundaries for the implementation of the change management and agility requirements. Typically, it can be documented on the organizational level and applied to all systems and services, including the PKI implementation.

The PKI may have specific requirements for change management and agility, and therefore it may be recommended to have a separate policy for the PKI implementation. The policy should be aligned with organizational policy and should be approved by the responsible personnel for the PKI.

The policy contains the following information:

  • Approach to change management and agility
  • Principles and boundaries for change management and agility
  • Roles and responsibilities
  • Requirements for change management and agility
  • Tools and technologies used for change management
  • And other relevant information

Assessment

The following is sample evidence that can be used to assess the requirement:

  • Documented policy for change management and agility
  • Alignment with organizational policy
  • Approval by the management
  • Understanding of the policy by the PKI personnel
  • And other relevant evidence

References

Request for change structure is documented and followed

Guidance

The request for change structure is the basic stone of each change management process. It provides information about a change, its scope, and other relevant data. The request for change structure should be formally documented and followed by all stakeholders involved.

Request for change can contain any change that can affect the PKI implementation, including:

  • PKI upgrades, updates, and patches
  • New components or functionalities
  • Changes in the configuration of the PKI
  • Changes in the algorithms and protocols

Request for change structure should cover the following information:

  • Description of the change
  • Scope of the change
  • Category of the change
  • Impacted systems and services
  • Back-out procedure in case of failure
  • Testing requirements
  • And other relevant information

Assessment

The following is sample evidence that can be used to assess the requirement:

  • Documented request for change structure
  • Sample of change request
  • Review implemented changes and compare with the request for change

References

The change management process is documented and implemented

Guidance

The change management process is the core of the change management and agile systems. It provides a robust and reliable process to ensure that every change is properly assessed, approved, implemented, and eventually reviewed.

The change management process should be documented, communicated, and integrated into the organization. The process states how a request for change can be submitted and how it is processed, which includes assessment and approval of the change, implementation of the change, functional testing after the change, and review of the change.

Assessment

The following is sample evidence that can be used to assess the requirement:

  • Documented change management process
  • Sample of change request
  • Steps involved in the change management process
  • Interview with the responsible personnel

References

Requirements for agility are identified

Guidance

Agility provides the ability to adapt to changes quickly and efficiently. Agility and change management are closely related and should be considered together. The future-proof PKI implementation should be able to identify the requirements for agility and implement them in a timely manner.

Agility can be considered on operational and technical levels. Operational agility means that the PKI is able to adapt to changes in the operational environment, including any changes to the organizational structure, processes, and other operational aspects. Technical agility means that the PKI is able to adapt to changes in the technologies, algorithms, protocols, and other technical aspects.

Identification of requirements where agility is needed is important to ensure changes are implemented when needed.

Assessment

The following is sample evidence that can be used to assess the requirement:

  • Agility requirements of the PKI implementation
  • Configuration changes
  • Changes in the operational environment
  • Changes in the technologies
  • And other relevant evidence

References

Change management and agility is periodically reviewed

Guidance

The change management and agility requirements should be periodically reviewed to ensure that they are still valid and relevant. The review should be performed by the responsible personnel and should be documented. A good practice is to review the change management and agility requirements at least once a year, however, the frequency of the review can be different depending on the PKI implementation.

Assessment

  • Change management review frequency
  • Implementation of review process and documentation
  • Interview with the responsible personnel

References

Participate in our community discussions and/or join the consortium