Change Management

Change management is the formal process organizations use to propose, evaluate, approve, implement, and review changes to information systems and infrastructure. It ensures that changes are introduced in a controlled manner, reducing the risk of outages, security vulnerabilities, and unintended consequences.

The Change Management Process

A typical change management workflow includes:

1. Change request — A formal request describing the proposed change, its purpose, and its expected impact
2. Risk assessment — Evaluation of the potential impact and risks of the change
3. Approval — Review and authorization by appropriate stakeholders (often a change advisory board or designated approver)
4. Implementation — Execution of the change according to the approved plan
5. Testing and validation — Verification that the change works as intended and has not introduced new issues
6. Documentation — Recording the change details, approvals, and outcomes for audit purposes

Why It Matters

SOC 2 places heavy emphasis on change management. The Common Criteria CC8.1 requires that organizations authorize, design, develop, configure, document, test, approve, and implement changes to infrastructure, data, software, and procedures. Auditors will sample changes and verify that each followed the documented process.

ISO 27001 addresses change management through multiple controls, including secure development lifecycle requirements and operational change controls. Unauthorized or undocumented changes are a significant audit finding.

PCI DSS Requirement 6 requires formal change control processes for all changes to system components in the cardholder data environment.

Best Practices

Separate environments. Maintain separate development, staging, and production environments. Changes should be tested in non-production environments before deployment.

Require peer review. Code and configuration changes should be reviewed by someone other than the author before approval. This catches errors and enforces segregation of duties.

Track everything. Use ticketing systems or version control platforms to maintain a complete audit trail of every change, who approved it, and when it was deployed. Auditors expect this evidence.