ID.RA-07:

Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions

Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes

Document the risks related to each requested exception and the plan for responding to those risks

Periodically review risks that were accepted based upon planned future actions or milestones