cisa-d4-operations-resilience-it-change-configuration-and-patch-management

IT Change, Configuration, and Patch Management

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IT Change, Configuration, and Patch Management

IT Change, Configuration, and Patch Management is an integrated set of preventive control processes that governs how IT systems are modified, tracked, and maintained. Change Management ensures every alteration to an IT environment — hardware, software, configuration, or infrastructure — follows a documented, approved workflow with impact analysis and rollback provisions. Configuration Management (CM) maintains accurate, current baselines of all IT assets and their interdependencies so that changes can be assessed and anomalies detected. Patch Management applies vendor-issued fixes for vulnerabilities and defects through a structured cycle of identification, testing, deployment, and verification. These three disciplines form a closed-loop system: CM provides the baseline, Change Management governs modifications, and Patch Management is the highest-frequency, highest-risk change type that exercises both.

Where it stops · what it isn't

—IS: The structured process of requesting, approving, testing, deploying, and reviewing changes to IT systems and their configurations.
—IS: The maintenance of an authoritative inventory — the Configuration Management Database (CMDB) — recording IT assets, their attributes, and their relationships.
—IS: The lifecycle management of security and functional patches from vulnerability disclosure through deployment verification.
—IS NOT: Incident Management (reactive response after a failure occurs) — though change failures may trigger incidents.
—IS NOT: Problem Management (root-cause analysis of recurring failures) — though Change Management feeds lessons into Problem Management via PIRs.
—IS NOT: IT Asset Management in full scope — CM overlaps but focuses on configuration state and relationships, not procurement or financial lifecycle.
—IS NOT: Continuous Deployment (CD) pipelines in isolation — CD is a delivery mechanism; Change Management provides the governance layer over CD.
—IS NOT: Vulnerability scanning — scanning identifies what needs patching; Patch Management decides and executes the remediation.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Operational Log ManagementConfiguration Management Database (CMDB)

ENABLES

Problem and Incident ManagementSystem and Operational Resilience

RELATED TO

IT Asset ManagementDatabase Management

PART OF

ISACA CISA Domain 4: Information Systems Operations and Business Resilience

CONSTRAINS

Continuous Deployment and DevOps Pipelines

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.