Back out procedures should be prepared for which of the following?

Back-out procedures are the steps you take to revert a change if it causes problems, protecting security and service availability. In PCI DSS practice, you demonstrate control by testing a representative sample of changes, not every single change, to show there is documented and executable rollback capability. Therefore, the best approach is to have back-out procedures prepared for each sampled change, so auditors can verify that for those changes there is a clear plan to revert, validate the revert, and notify stakeholders if something goes wrong. This emphasizes practical testing and evidence of a rollback process without requiring an auditable plan for every single change, while also covering non-emergency and non-major changes in the sampling.