After an IS is approved for operation in a specific computing environment, changes to the IS and the computing environment must be
controlled. Although changes may adversely affect the overall security posture of the infrastructure and the IS, change is ongoing as it responds to the needs of the user and new technology developments. As the threats become more sophisticated or focused on a particular asset, countermeasures must be strengthened or added to provide adequate protection. Therefore, change management is required to maintain an acceptable level of residual risk.