ISRA Project Change Scope Definition

Introduction

The Information Security Risk Assessment (ISRA) Questionnaire is a critical tool in IT risk management frameworks, helping organizations identify, assess, and mitigate risks associated with IT changes and projects. This document defines the scope of project changes that trigger an ISRA evaluation. By categorizing changes into specific types, teams can systematically determine when a full risk assessment is required.

This enhanced guide builds on the original ISRA Project Change Scope Definition by:

  • Providing clearer, more concise definitions and examples.

  • Fixing minor grammatical issues and inconsistencies (e.g., formatting examples uniformly).

  • Adding key considerations for each category, including potential risks and ISRA triggers.

  • Structuring it for easy navigation in a blog or documentation format.

Use this as a reference when scoping projects: If a change fits any category, initiate the ISRA Questionnaire to evaluate controls, compliance, and residual risks. For more on the full ISRA process, see ISRA Questionnaire Overview.

1. New System

Definition: A new system (application or infrastructure) developed or acquired by the organization to fulfill a new business need. The system must be registered in the Information Security Management System (ISMS) asset list.

Examples:

  • Introducing a new application system.

  • Introducing new IT infrastructure.

Key Considerations: High risk due to untested integrations and potential exposure of sensitive data. Triggers full ISRA for baseline security controls (e.g., access management, encryption).

2. Architecture Change

Definition: Modifications to the high-level design of a system, including its structure, components, interfaces, etc.

Examples:

  • Migrating from monolithic to microservices architecture.

  • Replacing legacy architecture with cloud-based infrastructure.

  • Changing from single-site to dual-site architecture for resilience.

Key Considerations: Impacts scalability and security posture; assess for new vulnerabilities in interfaces. ISRA focus: Architectural resilience and data isolation.

3. Code Change on Existing Application System

Definition: Updates or modifications to the source code of an existing application, developed in-house or by a third-party service provider.

Examples:

  • Adding new features or functionality to an existing system.

  • Fixing a bug in the software logic.

  • Rewriting the code base with a new programming language.

Key Considerations: Even minor changes can introduce exploits (e.g., injection flaws). ISRA triggers code review and testing for OWASP Top 10 risks.

4. Change of Internet-Facing System

Definition: Modifications to systems that are accessible from the public internet.

Examples:

  • Updating processes/functions of a public-facing website and/or web application.

  • Updating processes/functions of a mobile application.

Key Considerations: Elevated exposure to external threats like DDoS or SQL injection. Mandatory ISRA for web application firewall (WAF) and penetration testing.

5. New Server/Software

Definition: Deployment of a new server or software.

Examples:

  • Setting up a new server for application hosting.

  • Installing a new enterprise application.

Key Considerations: Introduces new attack surfaces; evaluate vendor security and patching. ISRA emphasis: Baseline hardening and logging.

6. Change of Server/Software

Definition: Modifications to an existing server or software.

Examples:

  • Upgrading the operating system via Technology Refreshment.

  • Replacing the server software with a new product.

Key Considerations: Compatibility issues may weaken controls. ISRA required for regression testing and access audits.

7. New or Change of Hardware

Definition: Deployment or modification of physical hardware components.

Examples:

  • Upgrading hardware in a data center.

  • Deploying a new physical server.

  • Adding network/storage devices to increase capacity.

  • Adding blade servers to support enterprise applications.

Key Considerations: Physical security risks (e.g., tampering). ISRA scope: Environmental controls and supply chain verification.

8. New or Change of Database

Definition: Deployment of a new database or changes to an existing database system.

Examples:

  • Deploying a new database for an application.

  • Migrating the database from MSSQL to MySQL.

  • Data migration from a database.

Key Considerations: Data integrity and confidentiality at stake during migrations. ISRA focus: Encryption at rest/transit and backup validation.

9. New or Change of Network

Definition: Deployment or modification of network infrastructure or configuration.

Examples:

  • Setting up a new VPN for remote employees.

  • Changing the network segmentation (e.g., via firewall) for enhanced security.

  • Implementing a new SD-WAN solution.

  • Relocating network switches or routers.

Key Considerations: Misconfigurations can lead to lateral movement by attackers. ISRA triggers network diagramming and segmentation reviews.

10. New or Change of API

Definition: Deployment of a new API or changes to an existing API used for system communication.

Examples:

  • Creating a new API to integrate with a third-party service.

  • Updating an API to support additional endpoints or features.

  • Modifying API authentication methods, such as switching to OAuth 2.0.

Key Considerations: APIs are common breach vectors (e.g., broken authentication). ISRA required for rate limiting and API gateway controls.

11. New Cloud Service Adoption

Definition: Onboarding a new cloud service provider or solution for business operations.

Examples:

  • Adopting AWS for hosting web applications.

  • Subscribing to a SaaS solution like Microsoft 365.

Key Considerations: Shared responsibility model introduces compliance gaps. ISRA emphasis: Cloud-specific policies (e.g., data residency).

12. New or Change of Cloud-Based Resource

Definition: Deployment or modification of specific cloud-based resources.

Examples:

  • Creating new virtual machines or containers in a cloud environment.

  • Modifying the configuration of cloud storage buckets or networks.

  • Scaling up or down cloud instances based on workload requirements.

Key Considerations: Over-provisioning can amplify blast radius. ISRA scope: IAM roles and auto-scaling security.

13. New or Change of Client-Side Endpoint Device

Definition: Deployment or modification of user devices like desktops, laptops, or mobile devices.

Examples:

  • Introducing new company-issued laptops with pre-installed common/security tools.

  • Upgrading endpoint devices to newer hardware models.

  • Introducing new service kiosks (e.g., betting terminals).

Key Considerations: Endpoints are prime targets for malware. ISRA triggers MDM/EDR deployment and remote wipe capabilities.

14. New or Change of Cryptographic Keys

Definition: Deployment or modification of encryption keys used to secure systems or data.

Examples:

  • Generating and deploying new SSL/TLS certificates for a web application.

  • Changing the keys used in database encryption.

  • Rotating API keys or token signing keys.

Key Considerations: Key compromise leads to data breaches. ISRA focus: Key lifecycle management and HSM usage.

15. New or Change of User Access Authentication/Permission Design

Definition: Implementation or modification of how users authenticate and access systems.

Examples:

  • Introducing multi-factor authentication (MFA) for all users.

  • Redesigning role-based access control (RBAC) policies.

  • Updating password policies and/or authentication methods.

Key Considerations: Weak auth enables unauthorized access. ISRA required for least privilege audits.

16. New or Change of Data Flow

Definition: Modifications to how data moves between systems or entities.

Examples:

  • Redirecting data flows through a new data processing platform.

  • Adding encryption for data in transit between applications.

  • Moving data processing from on-premises to a cloud environment.

Key Considerations: Exposes data to interception risks. ISRA scope: DLP tools and flow diagramming.

17. Introduce Remote Access to Lifeblood/Critical Systems

Definition: Allowing external or remote access to critical systems essential for business operations.

Examples:

  • Enabling secure remote access for administrators to a production database.

  • Setting up remote desktop access to critical financial systems.

  • Implementing a VPN to access critical systems from offsite locations.

Key Considerations: High-impact if breached (business continuity threat). ISRA mandatory for zero-trust verification and session monitoring.

PreviousControl ImplementationNextISRA Questionnaire

Last updated

Was this helpful?