What is Change Management?
What is Change Management?
Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.
Why change management matters
Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:
- Untested changes can introduce bugs or vulnerabilities
- Unauthorized modifications can compromise security controls
- Conflicting changes can cause system instability
- Auditors cannot verify that changes were properly authorized and tested
- Troubleshooting becomes difficult without a record of what changed
Components of a change management process
An effective change management program includes:
Change request — a formal submission describing the proposed change, including:
- Description of the change
- Business justification
- Risk assessment
- Rollback plan
- Testing plan
- Implementation timeline
Review and approval — changes are reviewed by appropriate stakeholders:
- Technical review for feasibility and impact
- Security review for potential risks
- Management approval based on risk and priority
- Change Advisory Board (CAB) review for significant changes
Testing — changes are tested in a non-production environment before deployment:
- Functional testing to verify the change works as intended
- Regression testing to confirm existing functionality is not broken
- Security testing when the change affects security-relevant systems
Implementation — changes are deployed following the approved plan:
- During designated maintenance windows when appropriate
- With monitoring for unexpected issues
- With rollback procedures ready if problems occur
Post-implementation review — after deployment, verify:
- The change achieved its intended outcome
- No unintended side effects occurred
- Documentation is updated to reflect the change
Change management in compliance frameworks
- SOC 2 — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented
- ISO 27001 — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures
- PCI DSS — Requirement 6.5 requires change control processes for all system components in the cardholder data environment
Types of changes
- Standard changes — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)
- Normal changes — changes that require the full change management process including review and approval
- Emergency changes — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation
Separation of duties
A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.
Evidence for auditors
Auditors reviewing change management look for:
- Change request records with documented approvals
- Evidence of testing before production deployment
- Separation of duties between development, approval, and deployment
- Rollback plans for significant changes
- Post-implementation reviews
How episki helps
episki tracks change management activities, integrates with ticketing and CI/CD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our compliance platform.
