CTPS 4.6 Requirement 5: Change management
CTPS 4.6.1R
1A critical third party must ensure that it has a systematic and effective approach to dealing with changes to a systemic third party service, including changes to the processes or technologies used to deliver, maintain or support a systemic third party service, including by:
- (1)
implementing appropriate policies, procedures and controls to manage effectively the resilience of any change to a systemic third party service;
- (2)
implementing any change to a systemic third party service in a way that minimises appropriately the risk of any CTP operational incident occurring; and
- (3)
ensuring that prior to being implemented, any change is appropriately risk-assessed, recorded, tested, verified and approved.