What is Change Management?

What is Change Management?

Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.

Why does change management matter?

Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:

• Untested changes can introduce bugs or vulnerabilities
• Unauthorized modifications can compromise security controls
• Conflicting changes can cause system instability
• Auditors cannot verify that changes were properly authorized and tested
• Troubleshooting becomes difficult without a record of what changed

What are the components of a change management process?

An effective change management program includes:

Change request — a formal submission describing the proposed change, including:

• Description of the change
• Business justification
• Risk assessment
• Rollback plan
• Testing plan
• Implementation timeline

Review and approval — changes are reviewed by appropriate stakeholders:

• Technical review for feasibility and impact
• Security review for potential risks
• Management approval based on risk and priority
• Change Advisory Board (CAB) review for significant changes

Testing — changes are tested in a non-production environment before deployment:

• Functional testing to verify the change works as intended
• Regression testing to confirm existing functionality is not broken
• Security testing when the change affects security-relevant systems

Implementation — changes are deployed following the approved plan:

• During designated maintenance windows when appropriate
• With monitoring for unexpected issues
• With rollback procedures ready if problems occur

Post-implementation review — after deployment, verify:

• The change achieved its intended outcome
• No unintended side effects occurred
• Documentation is updated to reflect the change

How do compliance frameworks address change management?

• SOC 2 — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented
• ISO 27001 — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures
• PCI DSS — Requirement 6.5 requires change control processes for all system components in the cardholder data environment

What are the types of changes in change management?

• Standard changes — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)
• Normal changes — changes that require the full change management process including review and approval
• Emergency changes — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation

How does separation of duties apply to change management?

A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.

What change management evidence do auditors look for?

Auditors reviewing change management look for:

• Change request records with documented approvals
• Evidence of testing before production deployment
• Separation of duties between development, approval, and deployment
• Rollback plans for significant changes
• Post-implementation reviews

How does episki help with change management?

episki tracks change management activities, integrates with ticketing and CI/CD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our compliance platform.