9 - Change management and agility
Change management and agility is important to control the PKI implementation and configuration changes, adjustments, modifications, and improvements. Technologies are changing fast and the PKI needs to be able to adapt to the changes. The same applies for security vulnerabilities, deprecation of algorithms, and other changes that can significantly affect the PKI.
The change management should provide a robust and reliable process to ensure that every change is properly assessed, approved, and implemented. The process should be aligned with the organizational change management process and should be followed by all stakeholders.
Agility means that the PKI is able to adapt to the changes quickly and efficiently. Agility is applied to technologies, processes, algorithms, and other parts of the PKI implementation. Efficient adaptation to the changes makes the PKI more reliable and trustworthy, reducing operational risks.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | Change management is not defined and agility is not considered and applied. |
| 2 - Basic | Change management does not have documented and followed structure and is often ad-hoc. Agility is not formally cosnidered, however, it is applied in some cases. |
| 3 - Advanced | Processes for change management and agility are defined and designed to support the PKI implementation. The procedures and not always followed. |
| 4 - Managed | Change management is integrated with the organizational change management process. Requirements for the agility are identified and implemented. Procedures are followed and monitored. |
| 5 - Optimized | Approved change management policy and agility processes are followed and monitored. It is continuously improved and adapted to the changes. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | The policy for change management and agility is documented | 4 |
| 2 | Request for change structure is documented and followed | 3 |
| 3 | The change management process is documented and implemented | 4 |
| 4 | Requirements for agility are identified | 2 |
| 5 | Change management and agility is periodically reviewed | 2 |
Details
The policy for change management and agility is documented
Guidance
The policy for change management and agility should be documented and approved by the management. The policy contains principles and boundaries for the implementation of the change management and agility requirements. Typically, it can be documented on the organizational level and applied to all systems and services, including the PKI implementation.
The PKI may have specific requirements for change management and agility, and therefore it may be recommended to have a separate policy for the PKI implementation. The policy should be aligned with organizational policy and should be approved by the responsible personnel for the PKI.
The policy contains the following information:
- Approach to change management and agility
- Principles and boundaries for change management and agility
- Roles and responsibilities
- Requirements for change management and agility
- Tools and technologies used for change management
- And other relevant information
Assessment
The following is sample evidence that can be used to assess the requirement:
- Documented policy for change management and agility
- Alignment with organizational policy
- Approval by the management
- Understanding of the policy by the PKI personnel
- And other relevant evidence
References
- COBIT (Control Objectives for Information and Related Technologies)
- ISO/IEC 20000 and related standards
- The Information Technology Infrastructure Library (ITIL)
Request for change structure is documented and followed
Guidance
The request for change structure is the basic stone of each change management process. It provides information about a change, its scope, and other relevant data. The request for change structure should be formally documented and followed by all stakeholders involved.
Request for change can contain any change that can affect the PKI implementation, including:
- PKI upgrades, updates, and patches
- New components or functionalities
- Changes in the configuration of the PKI
- Changes in the algorithms and protocols
Request for change structure should cover the following information:
- Description of the change
- Scope of the change
- Category of the change
- Impacted systems and services
- Back-out procedure in case of failure
- Testing requirements
- And other relevant information
Assessment
The following is sample evidence that can be used to assess the requirement:
- Documented request for change structure
- Sample of change request
- Review implemented changes and compare with the request for change
References
- COBIT (Control Objectives for Information and Related Technologies)
- ISO/IEC 20000 and related standards
- The Information Technology Infrastructure Library (ITIL)
The change management process is documented and implemented
Guidance
The change management process is the core of the change management and agile systems. It provides a robust and reliable process to ensure that every change is properly assessed, approved, implemented, and eventually reviewed.
The change management process should be documented, communicated, and integrated into the organization. The process states how a request for change can be submitted and how it is processed, which includes assessment and approval of the change, implementation of the change, functional testing after the change, and review of the change.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Documented change management process
- Sample of change request
- Steps involved in the change management process
- Interview with the responsible personnel
References
- COBIT (Control Objectives for Information and Related Technologies)
- ISO/IEC 20000 and related standards
- The Information Technology Infrastructure Library (ITIL)
Requirements for agility are identified
Guidance
Agility provides the ability to adapt to changes quickly and efficiently. Agility and change management are closely related and should be considered together. The future-proof PKI implementation should be able to identify the requirements for agility and implement them in a timely manner.
Agility can be considered on operational and technical levels. Operational agility means that the PKI is able to adapt to changes in the operational environment, including any changes to the organizational structure, processes, and other operational aspects. Technical agility means that the PKI is able to adapt to changes in the technologies, algorithms, protocols, and other technical aspects.
Identification of requirements where agility is needed is important to ensure changes are implemented when needed.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Agility requirements of the PKI implementation
- Configuration changes
- Changes in the operational environment
- Changes in the technologies
- And other relevant evidence
References
- COBIT (Control Objectives for Information and Related Technologies)
- ISO/IEC 20000 and related standards
- The Information Technology Infrastructure Library (ITIL)
Change management and agility is periodically reviewed
Guidance
The change management and agility requirements should be periodically reviewed to ensure that they are still valid and relevant. The review should be performed by the responsible personnel and should be documented. A good practice is to review the change management and agility requirements at least once a year, however, the frequency of the review can be different depending on the PKI implementation.
Assessment
- Change management review frequency
- Implementation of review process and documentation
- Interview with the responsible personnel
