📖 What is Change Control Board (CCB)?
A Change Control Board (CCB) is a committee of stakeholders responsible for reviewing, evaluating, and approving or rejecting proposed changes to a project or information system. It ensures that changes are documented and their impact is fully understood.
"The CCB's primary role is to manage risk. Look for 'unauthorized changes' in exam scenarios—this usually indicates a failure of the CCB process."
📚 Certification: Certified Information Systems Auditor (CISA)
🔑 What are the Key Concepts of Change Control Board (CCB)?
- ▸ Cross-functional Composition: The CCB typically includes representatives from business, IT, and security to ensure all perspectives are considered during the impact analysis process.
- ▸ Risk Mitigation Focus: The primary goal is to evaluate the potential risk of a change against the benefit, preventing outages or security vulnerabilities.
- ▸ Segregation of Duties: To maintain integrity, the CCB provides oversight and approval, ensuring that those who request or implement changes do not unilaterally approve them.
- ▸ Formal Documentation: Every decision, including the rationale for approval or rejection, must be documented to provide a complete audit trail for compliance and accountability.
- ▸ Post-Implementation Review: The CCB often reviews the results of a change to verify it achieved the desired outcome without introducing unforeseen issues.
🎯 How does Change Control Board (CCB) appear on the CISA Exam?
You may be asked to identify the root cause when an auditor discovers unauthorized configuration changes in production; the answer typically points to a failure in the CCB process.
A scenario might describe an urgent system outage requiring an immediate fix. Expect questions on the appropriate 'Emergency Change' process and how the CCB provides retrospective approval.
Expect questions where a developer approves their own code deployment to production. You must identify this as a lack of independent CCB oversight and a segregation of duties violation.
❓ Frequently Asked Questions
What is the difference between Change Management and the CCB?
Change Management is the overall framework and set of processes used to handle changes, while the CCB is the specific governing body that executes the approval authority within that framework.
How should the CCB handle emergency changes to avoid delaying critical fixes?
Organizations often implement an Emergency Change Advisory Board (ECAB) for rapid approval, followed by a formal retrospective review by the full CCB to ensure documentation is completed.
Can a single person act as the CCB in small organizations?
While possible, it creates a significant risk. CISA emphasizes that regardless of size, a separate authority must approve changes to maintain segregation of duties and reduce risk.