Change Management Policy
| Property | Value |
|---|
| Document ID | POL-006 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC8.1 / ISO 27001: A.12.1, A.14.2 |
1. Purpose
This policy establishes requirements for managing changes to information systems, applications, and infrastructure to minimize risk, prevent unauthorized modifications, and maintain system integrity and availability.
2. Scope
This policy applies to:
- Systems: All production systems, applications, databases, networks, and infrastructure
- Changes: Configuration changes, code deployments, infrastructure modifications, security patches
- Environments: Production, staging, and shared development environments
- Personnel: All individuals with the ability to make system changes
3. Policy Statements
3.1 Change Management Principles
All changes must adhere to the following principles:
| Principle | Description |
|---|
| Authorization | All changes require documented approval before implementation |
| Documentation | Changes must be recorded with sufficient detail for audit |
| Testing | Changes must be tested before production deployment |
| Reversibility | Rollback procedures must be defined for all changes |
| Separation of Duties | Developer ≠ Approver ≠ Deployer (where feasible) |
| Least Privilege | Changes made with minimum necessary permissions |
3.2 Change Categories
| Category | Description | Approval Level | Lead Time |
|---|
| Standard | Pre-approved, low-risk, routine changes | Pre-approved template | None |
| Normal | Planned changes with known risk | CAB / Change Manager | 3-5 business days |
| Emergency | Urgent changes to restore service or fix critical security issue | Emergency CAB | Immediate (post-approval within 24h) |
| Major | High-risk changes affecting critical systems | CAB + Executive | 10+ business days |
3.3 Change Request Requirements
All change requests must include:
| Field | Description | Required |
|---|
| Change ID | Unique identifier | Yes |
| Requestor | Person initiating change | Yes |
| Description | Detailed description of change | Yes |
| Business Justification | Why the change is needed | Yes |
| Affected Systems | Systems/services impacted | Yes |
| Risk Assessment | Impact and likelihood | Yes |
| Test Plan | How change was/will be tested | Yes |
| Rollback Plan | Steps to reverse the change | Yes |
| Implementation Plan | Step-by-step deployment | Yes |
| Schedule | Planned date and time | Yes |
| Approvals | Required sign-offs | Yes |
3.4 Change Approval Matrix
| Change Type | Technical Lead | Security | Change Manager | CAB | Executive |
|---|
| Standard | Pre-approved | N/A | N/A | N/A | N/A |
| Normal (Low Risk) | Required | Optional | Required | N/A | N/A |
| Normal (Medium Risk) | Required | Required | Required | N/A | N/A |
| Normal (High Risk) | Required | Required | Required | Required | N/A |
| Emergency | Post-approval | Post-approval | Required | Post-review | N/A |
| Major | Required | Required | Required | Required | Required |
3.5 Change Advisory Board (CAB)
The CAB reviews and approves changes that:
- Affect multiple systems or services
- Carry medium to high risk
- Require cross-team coordination
- Impact customer-facing services
CAB Composition:
- IT Operations Lead
- Security Representative
- Development Lead
- Infrastructure Lead
- Business Representative (as needed)
CAB Schedule: Weekly (or as needed for urgent changes)
3.6 Development and Deployment Pipeline
3.6.1 Environment Progression
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Development │───▶│ Testing │───▶│ Staging │───▶│ Production │
│ │ │ (QA) │ │ │ │ │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
▼ ▼ ▼ ▼
Developer Automated Pre-prod Approved
testing testing validation deployment
3.6.2 Code Change Requirements
| Requirement | Description |
|---|
| Version Control | All code changes tracked in Git |
| Branch Protection | Main/production branches protected |
| Code Review | Peer review required before merge |
| Automated Testing | CI pipeline with unit/integration tests |
| Security Scanning | SAST/DAST in pipeline |
| Approval Gates | Required approvals before production |
3.6.3 Infrastructure as Code (IaC)
Infrastructure changes must:
3.7 Production Access Controls
| Control | Requirement |
|---|
| Direct Access | Prohibited for routine changes |
| Emergency Access | Break-glass procedure with audit |
| Deployment | Automated via CI/CD pipeline |
| Database Changes | Scripted and reviewed |
| Manual Changes | Documented and dual-control for critical systems |
3.8 Emergency Change Procedure
┌─────────────────┐
│ Emergency │
│ Identified │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Notify Change │
│ Manager/On-Call │
└────────┬────────┘
│
▼
┌─────────────────┐ ┌─────────────────┐
│ Implement Fix │───▶│ Document Change │
│ (with approval) │ │ (within 24h) │
└────────┬────────┘ └────────┬────────┘
│ │
▼ ▼
┌─────────────────┐ ┌─────────────────┐
│ Verify Fix │ │ Post-incident │
│ │ │ Review │
└─────────────────┘ └─────────────────┘
Emergency changes require:
- Verbal approval from Change Manager or designated authority
- Implementation with witness/pair where possible
- Full documentation within 24 hours
- Post-change review at next CAB
3.9 Rollback Requirements
All changes must have a defined rollback plan:
| Element | Description |
|---|
| Trigger Criteria | Conditions that warrant rollback |
| Rollback Steps | Detailed procedure to reverse change |
| Rollback Owner | Person responsible for executing rollback |
| Time Estimate | Expected time to complete rollback |
| Verification | How to confirm successful rollback |
4. Roles and Responsibilities
| Role | Responsibilities |
|---|
| Change Manager | Oversee change process, chair CAB, approve changes |
| Change Requestor | Submit complete change requests, own implementation |
| Technical Lead | Technical review and approval |
| Security Team | Security review for relevant changes |
| CAB Members | Review and approve high-risk changes |
| Operations Team | Implement changes, monitor outcomes |
5. Implementation Checklist
Technical Controls
Process Controls
6. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|
| Change Tickets | All change requests with approvals | Ticketing system | 3 years |
| Deployment Logs | CI/CD pipeline execution logs | CI/CD platform | 1 year |
| Git History | Code commits and merge approvals | Git repository | Indefinite |
| CAB Minutes | Meeting notes and decisions | Document repository | 3 years |
| Rollback Records | Documentation of any rollbacks | Change tickets | 3 years |
| Emergency Changes | Post-implementation documentation | Ticketing system | 3 years |
7. Related Documents
8. Metrics and Reporting
| Metric | Target | Frequency |
|---|
| Change success rate | >95% | Monthly |
| Emergency changes | <10% of total | Monthly |
| Changes with rollback | <5% | Monthly |
| Mean time to deploy | Defined per team | Monthly |
| Failed deployments | <5% | Monthly |
9. Version History
| Version | Date | Author | Changes |
|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
| | | |
| | | |
10. Approval
| Role | Name | Signature | Date |
|---|
| CISO | _________________ | _________________ | ________ |
| IT Director | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.