requirements. Disaster recovery and business continuity testing should be conducted at least once a year. Ability procedures for change requests, tracking changes, testing changes, separate environments, version control management, enterprise architecture, penetration testing, and strategy. Centre for Internet Security (CIS) incident response management, and penetration testing. Audit Controls: Enforce information security policies lists, change requests, CAB meeting evidence, testing of changes, program library use, version control