Change management

Assess potential information and cyber security risks before you make a change to your existing processes, assets or systems.

Identify information and cyber security requirements for all types of changes, not only ICT development projects.

Take steps to address the risks at an early stage.
Review risks and steps taken at predefined stages and throughout the change process.

Allocate responsibility for information and cyber security risks to someone who is involved in the project.

Document your approach to the secure development and acquisition of new applications and systems.

Establish and apply a minimum secure baseline for their development and acquisition.
Implement security testing during the development life cycle and through the acquisition process.
Assign responsibility for directing, monitoring and reviewing the outsourced system development.
Separate development, testing and production environments.
Ensure any personal information used in development environments is either falsified or fully anonymised.
Build the minimum and desired security requirements into tendering documents.
Embed consultation with cyber security teams into system development and procurement processes.

Have gateways and sign offs in place for new software and changes to existing software.

Involve the DPO on completion of any risk assessment to check whether the installation of new software will have an impact on data protection compliance.
Keep a record of any changes to existing software assets.

Complete a full back up of information before implementing changes to software assets.
Monitor recent changes to software assets closely for a period following implementation.
Communicate software changes to staff to make them aware and alert to new issues and vulnerabilities.