SIST EN 80001-1:2011

SLOVENSKI STANDARD
SIST EN 80001-1:2011
01-maj-2011
8SRUDEDXSUDYOMDQMDWYHJDQMD]DRPUHåMD,7NLYNOMXþXMHMRPHGLFLQVNHQDSUDYH
GHO9ORJHRGJRYRUQRVWLLQGHMDYQRVWL,(&
Application of risk management for IT-networks incorporating medical devices - Part 1:
Roles, responsibilities and activities (IEC 80001-1:2010)
Anwendung des Risikomanagements für IT-Netzwerke, die Medizinprodukte beinhalten -
Teil 1: Aufgaben, Verantwortlichkeiten und Aktivitäten (IEC 80001-1:2010)
Application de la gestion des risques aux réseaux des technologies de l’information
contenant des dispositifs médicaux - Partie 1: Fonctions, responsabilités et activités (CEI
80001-1:2010)
Ta slovenski standard je istoveten z: EN 80001-1:2011
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN 80001-1:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 80001-1:2011

---------------------- Page: 2 ----------------------

SIST EN 80001-1:2011

EUROPEAN STANDARD
EN 80001-1

NORME EUROPÉENNE
March 2011
EUROPÄISCHE NORM

ICS 11.040.01; 35.240.80


English version


Application of risk management for IT-networks incorporating medical
devices -
Part 1: Roles, responsibilities and activities
(IEC 80001-1:2010)


Application de la gestion des risques aux Anwendung des Risikomanagements für
réseaux des technologies de l’information IT-Netzwerke, die Medizinprodukte
contenant des dispositifs médicaux - beinhalten -
Partie 1: Fonctions, responsabilités et Teil 1: Aufgaben, Verantwortlichkeiten und
activités Aktivitäten
(CEI 80001-1:2010) (IEC 80001-1:2010)




This European Standard was approved by CENELEC on 2011-02-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels


© 2011 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 80001-1:2011 E

---------------------- Page: 3 ----------------------

SIST EN 80001-1:2011
EN 80001-1:2011 - 2 -
Foreword
The text of document 62A/703/FDIS, future edition 1 of IEC 80001-1, prepared by SC 62A, Common
aspects of electrical equipment used in medical practice, of IEC TC 62, Electrical equipment in medical
practice, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as
EN 80001-1 on 2011-02-01.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent
rights.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2011-11-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2014-02-01
Terms defined in Clause 2 of this standard are printed in SMALL CAPITALS.
For the purposes of this standard:
— “shall” means that compliance with a requirement is mandatory for compliance with this standard;
— “should” means that compliance with a requirement is recommended but is not mandatory for
compliance with this standard;
— “may” is used to describe a permissible way to achieve compliance with a requirement; and
— “establish” means to define, document, and implement.
__________
Endorsement notice
The text of the International Standard IEC 80001-1:2010 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
[1] IEC 60601-1:2005 NOTE  Harmonized as EN 60601-1:2006 (not modified).
[2] IEC 61907:2009 NOTE  Harmonized as EN 61907:2010 (not modified).
[3] IEC 62304:2006 NOTE  Harmonized as EN 62304:2006 (not modified).
[4] ISO 14971:2007 NOTE  Harmonized as EN ISO 14971:2009 (not modified).
[7] ISO 16484-2:2004 NOTE  Harmonized as EN ISO 16484-2:2004 (not modified).
[8] ISO 9000:2005 NOTE  Harmonized as EN ISO 9000:2005 (not modified).
__________

---------------------- Page: 4 ----------------------

SIST EN 80001-1:2011

IEC 80001-1
Edition 1.0 2010-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Application of risk management for IT-networks incorporating medical devices –
Part 1: Roles, responsibilities and activities

Application de la gestion des risques aux réseaux des technologies de
l’information contenant des dispositifs médicaux –
Partie 1: Fonctions, responsabilités et activités

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
X
CODE PRIX
ICS 11.040.01; 35.240.80 ISBN 978-2-88912-221-9

---------------------- Page: 5 ----------------------

SIST EN 80001-1:2011
– 2 – 80001-1 © IEC:2010
CONTENTS
FOREWORD.4
INTRODUCTION.6
1 Scope.9
2 Terms and definitions .9
3 Roles and responsibilities.14
3.1 General .14
3.2 RESPONSIBLE ORGANIZATION .14
3.3 TOP MANAGEMENT responsibilities .15
3.4 MEDICAL IT-NETWORK RISK MANAGER .16
3.5 MEDICAL DEVICE manufacturer(s).17
3.6 Providers of other information technology.18
4 Life cycle RISK MANAGEMENT in MEDICAL IT-NETWORKS.19
4.1 Overview .19
4.2 RESPONSIBLE ORGANIZATION RISK MANAGEMENT.20
4.2.1 POLICY FOR RISK MANAGEMENT for incorporating MEDICAL DEVICES.20
4.2.2 RISK MANAGEMENT PROCESS.21
4.3 MEDICAL IT-NETWORK RISK MANAGEMENT planning and documentation .21
4.3.1 Overview .21
4.3.2 RISK-relevant asset description.22
4.3.3 MEDICAL IT-NETWORK documentation .22
4.3.4 RESPONSIBILITY AGREEMENT .22
4.3.5 RISK MANAGEMENT plan for the MEDICAL IT-NETWORK .24
4.4 MEDICAL IT-NETWORK RISK MANAGEMENT.24
4.4.1 Overview .24
4.4.2 RISK ANALYSIS .24
4.4.3 RISK EVALUATION .25
4.4.4 RISK CONTROL .25
4.4.5 RESIDUAL RISK evaluation and reporting .26
4.5 CHANGE-RELEASE MANAGEMENT and CONFIGURATION MANAGEMENT .27
4.5.1 CHANGE-RELEASE MANAGEMENT PROCESS.27
4.5.2 Decision on how to apply RISK MANAGEMENT.27
4.5.3 Go-live .29
4.6 Live network RISK MANAGEMENT.29
4.6.1 Monitoring .29
4.6.2 EVENT MANAGEMENT .29
5 Document control .30
5.1 Document control procedure.30
5.2 MEDICAL IT-NETWORK RISK MANAGEMENT FILE.30
Annex A (informative) Rationale.31
Annex B (informative) Overview of RISK MANAGEMENT relationships .35
Annex C (informative) Guidance on field of application .36
Annex D (informative) Relationship with ISO/IEC 20000-2:2005 Information technology
– Service management – Part 2: Code of practice.38
Bibliography.42

---------------------- Page: 6 ----------------------

SIST EN 80001-1:2011
80001-1 © IEC:2010 – 3 –
Figure 1 – Illustration of TOP MANAGEMENT responsibilities.16
Figure 2 – Overview of life cycle of MEDICAL IT-NETWORKS including RISK MANAGEMENT .20
Figure B.1 – Overview of roles and relationships .35
Figure D.1 – Service management processes .39

Table A.1 – Relationship between ISO 14971 and IEC 80001-1 .33
Table C.1 – IT-NETWORK scenarios that can be encountered in a clinical environment.36
Table D.1 – Relationship between IEC 80001-1 and ISO/IEC 20000-1:2005 or
ISO/IEC 20000-2:2005.40

---------------------- Page: 7 ----------------------

SIST EN 80001-1:2011
– 4 – 80001-1 © IEC:2010
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________

APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS
INCORPORATING MEDICAL DEVICES –

Part 1: Roles, responsibilities and activities


FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 80001-1 has been prepared by a joint working group of
subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC
technical committee 62: Electrical equipment in medical practice and ISO technical committee
215: Health informatics.
It is published as a double logo standard.
The text of this standard is based on the following documents:
FDIS Report on voting
62A/703/FDIS 62A/718/RVD

Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table. In ISO, the standard has been approved by 17 P-members
out of 18 having cast a vote.

---------------------- Page: 8 ----------------------

SIST EN 80001-1:2011
80001-1 © IEC:2010 – 5 –
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
Terms defined in Clause 2 of this standard are printed in SMALL CAPITALS.
For the purposes of this standard:
• “shall” means that compliance with a requirement is mandatory for compliance with this
standard;
• “should” means that compliance with a requirement is recommended but is not mandatory
for compliance with this standard;
• “may” is used to describe a permissible way to achieve compliance with a requirement;
and
• “establish” means to define, document, and implement.
A list of all parts of the IEC 80001 series, published under the general title Application of risk
management for IT-networks incorporating medical devices, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.

---------------------- Page: 9 ----------------------

SIST EN 80001-1:2011
– 6 – 80001-1 © IEC:2010
INTRODUCTION
An increasing number of MEDICAL DEVICEs are designed to exchange information electronically
with other equipment in the user environment, including other MEDICAL DEVICES. Such
information is frequently exchanged through an information technology network (IT-NETWORK)
that also transfers data of a more general nature.
At the same time, IT-NETWORKS are becoming increasingly vital to the clinical environment
and are now required to carry increasingly diverse traffic, ranging from life-critical patient data
requiring immediate delivery and response, to general corporate operations data and to email
containing potential malicious content (e.g. viruses).
For many jurisdictions, design and production of MEDICAL DEVICES is subject to regulation, and
to standards recognized by the regulators. Traditionally, regulators direct their attention to
MEDICAL DEVICE manufacturers, by requiring design features and by requiring a documented
PROCESS for design and manufacturing. MEDICAL DEVICES cannot be placed on the market in
these jurisdictions without evidence that those requirements have been met.
The use of the MEDICAL DEVICES by clinical staff is also subject to regulation. Members of
clinical staff have to be appropriately trained and qualified, and are increasingly subject to
defined PROCESSES designed to protect patients from unacceptable RISK.
In contrast, the incorporation of MEDICAL DEVICES into IT-NETWORKS in the clinical environment
1)
is a less regulated area. IEC 60601-1:2005 [1] requires MEDICAL DEVICE manufacturers to
include some information in ACCOMPANYING DOCUMENTS if the MEDICAL DEVICE is intended to be
connected to an IT-NETWORK. Standards are also in place covering common information
technology activities including planning, design and maintenance of IT-NETWORKS, for
instance ISO 20000-1:2005 [9]. However, until the publication of this standard, no standard
addressed how MEDICAL DEVICES can be connected to IT-NETWORKS, including general-purpose
IT-NETWORKS, to achieve INTEROPERABILITY without compromising the organization and
delivery of health care in terms of SAFETY, EFFECTIVENESS, and DATA AND SYSTEM SECURITY.
There remain a number of potential problems associated with the incorporation of MEDICAL
DEVICES into IT-NETWORKS, including:
– lack of consideration for RISK from use of IT-NETWORKS during evaluation of clinical RISK;
– lack of support from manufacturers of MEDICAL DEVICES for the incorporation of their
products into IT-NETWORKS, (e.g. the unavailability or inadequacy of information provided
by the manufacturer to the OPERATOR of the IT-NETWORK);
– incorrect operation or degraded performance (e.g. incompatibility or improper
configuration) resulting from combining MEDICAL DEVICES and other equipment on the same
IT-NETWORK;
– incorrect operation resulting from combining MEDICAL DEVICE SOFTWARE and other software
applications (e.g. open email systems or computer games) in the same IT-NETWORK;
– lack of security controls on many MEDICAL DEVICES; and
– the conflict between the need for strict change control of MEDICAL DEVICES and the need
for rapid response to the threat of cyberattack.
When these problems manifest themselves, unintended consequences frequently follow.
This standard is addressed to RESPONSIBLE ORGANIZATIONS, to manufacturers of MEDICAL
DEVICES, and to providers of other information technology.
___________
1)
Numbers in square brackets refer to the Bibliography.

---------------------- Page: 10 ----------------------

SIST EN 80001-1:2011
80001-1 © IEC:2010 – 7 –
This standard adopts the following principles as a basis for its normative and informative
sections:
– The incorporation or removal of a MEDICAL DEVICE or other components in an IT-NETWORK
is a task which requires design of the action; this might be out of the control of the
manufacturer of the MEDICAL DEVICE.
– RISK MANAGEMENT should be used before the incorporation of a MEDICAL DEVICE into an IT-
NETWORK takes place, and for any changes during the entire life cycle of the resulting
MEDICAL IT-NETWORK, to avoid unacceptable RISKS, including possible RISK to patients,
resulting from the incorporation of the MEDICAL DEVICE into the IT-NETWORK. Many things
are part of a RISK decision, such as liability, cost, or impact on mission. These should be
considered in determining acceptable RISK in addition to the requirements described in
this standard.
– Aspects of removal, maintenance, change or modification of equipment, items or
components should be addressed adequately in addition to the incorporation of MEDICAL
DEVICES.
– The manufacturer of the MEDICAL DEVICE is responsible for RISK MANAGEMENT of the
MEDICAL DEVICE during the design, implementation, and manufacturing of the MEDICAL
DEVICE. This standard does not cover the RISK MANAGEMENT PROCESS for the MEDICAL
DEVICE.
– The manufacturer of a MEDICAL DEVICE intended to be incorporated into an IT-NETWORK
might need to provide information about the MEDICAL DEVICE that is necessary to allow the
RESPONSIBLE ORGANIZATION to manage RISK according to this standard. This information
can include, as part of the ACCOMPANYING DOCUMENTS, instructions specifically addressed
to the person who incorporates a MEDICAL DEVICE into an IT-NETWORK.
– Such ACCOMPANYING DOCUMENTS should convey instructions about how to incorporate the
MEDICAL DEVICE into the IT-NETWORK, how the MEDICAL DEVICE transfers information over
the IT-NETWORK, and the minimum IT-NETWORK characteristics necessary to enable the
INTENDED USE of the MEDICAL DEVICE when it is incorporated into the IT-NETWORK. The
ACCOMPANYING DOCUMENTS should warn of possible hazardous situations associated with
failure or disruptions of the IT-NETWORK, and the misuse of the IT-NETWORK connection or
of the information that is transferred over the IT-NETWORK.
– RESPONSIBILITY AGREEMENTS can establish roles and responsibilities among those engaged
in the incorporation of a MEDICAL DEVICE into an IT-NETWORK, all aspects of the life cycle of
the resulting MEDICAL IT-NETWORK and all activities that form part of that life cycle.
– The RESPONSIBLE ORGANIZATION is required to appoint people to certain roles defined in
this standard. This standard defines the responsibilities of those roles. The most important
of those roles is the MEDICAL IT-NETWORK RISK MANAGER. This role can be assigned to
someone within the RESPONSIBLE ORGANIZATION or to an external contractor.
– The MEDICAL IT-NETWORK RISK MANAGER is responsible for ensuring that RISK MANAGEMENT
is included during the PROCESSES of:
• planning and design of new incorporations of MEDICAL DEVICES or changes to such
incorporations;
• putting the MEDICAL IT-NETWORK into use and the consequent use of the MEDICAL IT-
NETWORK; and
• CHANGE-RELEASE MANAGEMENT and change management of the IT-NETWORK during the
IT-NETWORK’S entire life cycle.
– RISK MANAGEMENT should be applied to address the following KEY PROPERTIES appropriate
for the IT-NETWORK incorporating a MEDICAL DEVICE:
• SAFETY (freedom from unacceptable RISK of physical injury or damage to the health of
people or damage to property or the environment);
• EFFECTIVENESS (ability to produce the intended result for the patient and the RESPONSIBLE
ORGANIZATION); and

---------------------- Page: 11 ----------------------

SIST EN 80001-1:2011
– 8 – 80001-1 © IEC:2010
• DATA AND SYSTEM SECURITY (an operational state of a MEDICAL IT-NETWORK in which
information assets (data and systems) are reasonably protected from degradation of
confidentiality, integrity, and availability).

---------------------- Page: 12 ----------------------

SIST EN 80001-1:2011
80001-1 © IEC:2010 – 9 –
APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS
INCORPORATING MEDICAL DEVICES –

Part 1: Roles, responsibilities and activities



1 Scope
Recognizing that MEDICAL DEVICES are incorporated into IT-NETWORKS to achieve desirable
INTEROPERABILITY), this international standard defines the roles,
benefits (for example,
responsibilities and activities that are necessary for RISK MANAGEMENT of IT-NETWORKS
incorporating MEDICAL DEVICES to address SAFETY, EFFECTIVENESS and DATA AND SYSTEM

SECURITY (the KEY PROPERTIES). This international standard does not specify acceptable RISK
levels.
NOTE 1 The RISK MANAGEMENT activities described in this standard are derived from those in ISO 14971 [4 ]. Th e
relationship between ISO 14971 and this standard is described in A nne x A .
This standard applies after a MEDICAL DEVICE has been acquired by a RESPONSIBLE
ORGANIZATION and is a candidate for incorporation into an IT-NETWORK.
NOTE 2 This standard does not cover pre-market RISK MANAGEMENT.
This standard applies throughout the life cycle of IT-NETWORKS incorporating MEDICAL DEVICES.
NOTE 3 The life cycle management activities described in this standard are very similar to those of
ISO/IEC 20000-2 [10]. The relationship between ISO/IEC 20000-2 and this standard is described in A nne x D.
This standard applies where there is no single MEDICAL DEVICE manufacturer assuming
responsibility for addressing the KEY PROPERTIES of the IT-NETWORK incorporating a MEDICAL
DEVICE.
NOTE 4 If a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, the installation or
assembly of the MEDICAL DEVICE according to the manufacturer’s ACCOMPANYING DOCUMENTS is not subject to the
provisions of this standard regardless of who installs or assembles the MEDICAL DEVICE.
NOTE 5 If a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, additions to that
MEDICAL DEVICE or modification of the configuration of that MEDICAL DEVICE, other than as specified by the
manufacturer, is subject to the provisions of this standard.
This standard applies to RESPONSIBLE ORGANIZATIONS, MEDICAL DEVICE manufacturers and
providers of other information technology for the purpose of RISK MANAGEMENT of an IT-
NETWORK incorporating MEDICAL DEVICES as specified by the RESPONSIBLE ORGANIZATION.
This standard does not apply to personal use applications where the patient, OPERATOR and
RESPONSIBLE ORGANIZATION are one and the same person.
NOTE 6 In cases where a MEDICAL DEVICE is used at home under the supervision or instruction of the provider,
that provider is deemed to be the RESPONSIBLE ORGANIZATION. Personal use where the patient acquires and uses a
MEDICAL DEVICE without the supervision or instruction of a provider is out of scope of this standard.
This standard does not address regulatory or legal requirements.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply:

---------------------- Page: 13 ----------------------

SIST EN 80001-1:2011
– 10 – 80001-1 © IEC:2010
2.1
ACCOMPANYING DOCUMENT
a document accompanying a MEDICAL DEVICE or an accessory and containing information for
the RESPONSIBLE ORGANIZATION or OPERATOR, particularly regarding SAFETY
NOTE Adapted from IEC 60601-1:2005, definition 3.4.
2.2
CHANGE-RELEASE MANAGEMENT
PROCESS that ensures that all changes to the IT-NETWORK are assessed, approved,
implemented and reviewed in a controlled manner and that changes are delivered, distributed,
and tracked, leading to release of the change in a controlled manner with appropriate input
and output with CONFIGURATION MANAGEMENT
NOTE Adapted from ISO/IEC 20000-1:2005, Subclauses 9.2 (change management) and 10.1 (release
management).
2.3
CHANGE PERMIT
an outcome of the RISK MANAGEMENT PROCESS consisting of a document that allows a specified
change or type of change without further RISK MANAGEMENT Activities subject to specified
constraints
2.4
CONFIGURATION MANAGEMENT
a PROCESS that ensures that configuration information of components and the IT-NETWORK are
defined and maintained in an accurate and controlled manner, and
...