To verify significant change compliance, which set of actions should be used?

• A. Examining change records, interviewing personnel, and observing affected systems/networks.
• B. Only examining change records.
• C. Only interviewing personnel.
• D. Only observing systems.

Answer: (A)

Verifying significant change compliance requires gathering evidence from multiple angles to confirm that changes were properly requested, approved, tested, implemented, and monitored. Examining change records shows that a formal change was initiated and moved through the required steps, establishing procedural compliance. Interviewing personnel confirms that those responsible understand and follow the change process and that duties were carried out as planned. Observing the affected systems and networks provides real-world confirmation that the change is visible in the environment, is functioning as intended, and that the implemented controls reflect the approved design. Relying on only one source can leave gaps—records can be incomplete, interviews may not prove actual execution, and watching systems alone might miss governance and authorization aspects. Using all three together gives a complete, verifiable picture of both the process and the outcome.