There are multiple security controls listed in cyber best practices related to change management. Yet, when I talk to people many times people feel change management is not part of cyber.

So why is change management towards the high side of importance for ongoing cyber maintenance? Lets look to an example. I had a device that had an established security baseline. We made a documented change and realized that change affected a security function so we retested the function in front of our customer. It didn't work, but it should have worked with no problems. We went back and did root cause analysis and realized it was not our change that was the problem. The vendor supplying the device had made a change several years back. They thought the change was no big deal and would not affect anything so they never put it through change management. Because it never came through change management it was never analyzed for security impacts. No one raised the flag and said hey we need to check and make sure this change didn't impact the function its designed to carry out. As a result the function had broken and no one had been the wiser. We had to spend a small fortune and get the broken function fixed immediately. It was extremely stressful and we looked pretty bad to our customer.

Done correctly change management allows for changes to be reviewed and to determine potential impact before they go into effect. The impact assessment needs to include a security impact assessment. This prevents issues before they occur. This could be as simple as looking at the release notes of a new version of a product to make sure the changes won't negatively impact security and looking up the version in a vulnerability database like NVD to make sure there are no glaring issues before its installed. Whatever you do the important part is to make sure you have some type of process and don't just make changes without reviewing them.