Which control governs when and how configuration changes are made to information systems?

Governing when and how changes are made to information systems is handled by configuration change control, a specific practice within configuration management. This control formalizes the process for initiating, reviewing, approving, testing, and implementing changes, as well as documenting outcomes and maintaining a reliable change history. By requiring change requests to be assessed for impact, authorized before implementation, tested in a controlled environment, and properly recorded, it ensures changes are deliberate, traceable, and do not disrupt operations or introduce new risks. Other controls focus on different areas: vulnerability scanning targets finding security weaknesses, security categorization (FIPS 199) classifies the potential impact of a breach, and system interconnections (CA-3) governs how systems connect with others. None of these govern the process of approving and enacting configuration changes.