Change Management

Change is constant within any organization and there can be periods in which change is more rapid and may occur within different business units concurrently.  A change in one unit can have an adverse effect on another unit, it is therefore crucial to effectively manage change within the organization. From an IT perspective, change should be defined (e.g. normal, standard, and emergency). Typically, an IT organization should have a Change Advisory Board (CAB) for approving normal and standard changes, and an Emergency CAB (ECAB) for approving emergency changes –ECAB is usually a subset of CAB. The chair of CAB should be the Change Manager of the organization.

Control Objective

At a hygiene level the objective is:

  • Policy is documented, followed, reviewed, updated, and tested regularly
  • Changes to production environments must be reviewed and approved