Question: Are configuration changes controlled through a formal change-management process integrated with asset inventory (CMDB)?
-
Objective — Why This Matters
Untracked configuration changes cause outages and security regressions. Linking change control with asset data ensures traceability and accountability. -
Maturity Levels (0 – 5)
No change control; direct edits on production.
Email-based approvals; incomplete records.
Change requests logged; impact review performed.
Linked to asset inventory (CMDB); post-change validation.
Automated approvals via workflow tools; metrics tracked.
Policy-as-code with continuous integration and rollback.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 2 | Create change templates and approval matrix. |
| 2 → 3 | Integrate with asset registry (NetBox / CMDB). |
| 3 → 4 | Automate approvals and notifications. |
| 4 → 5 | Embed policy checks in GitOps workflow. |
-
People / Process / Technology Enablers
People – Infra Ops, Change Manager.
Process – CAB reviews, impact assessment, rollback testing.
Technology – NetBox, ServiceDesk / Redmine / Jira Service Mgmt. -
Evidence Required
Change tickets, approval logs, post-implementation validation. -
Metrics / KPIs
• number of unauthorized changes detected
• percentage of changes rolled back due to failure
• average approval-to-implementation time -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Inventory | NetBox | Source of truth for infrastructure assets. |
| Workflow | Redmine / Odoo Helpdesk | Change request tracking. |
| Automation | Ansible / GitHub Actions | Pre/post change tasks and validation. |
-
Common Pitfalls
Shadow changes without records; skipping rollback tests. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.32 (Change management). |
| NIST CSF 2.0 | PR.IP-3 / PR.MA-1. |
| CERT-In 2022 | Documented change controls. |
| NIRMATA Scoring | IS-Q04 ≥ Level 4 requires automated workflows and asset linkage. |