Change Management Policy
Version: v8.3-A | Effective Date: October 15, 2019
- Document Created: September 22, 2019
- Last Reviewed: February 12, 2025
- Next Review Date: February 2026
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
7.1 Purpose
This Change Management Policy establishes controlled processes for proposing, evaluating, approving, implementing, and reviewing changes to IT systems, applications, infrastructure, and security controls to minimize disruption risk, maintain security and stability, and provide audit trails.
7.2 Scope
Applies to all changes affecting production systems, applications, infrastructure, network, and security controls. Excludes routine operational tasks, emergency security patches (retroactive documentation required), and pre-approved standard changes.
7.3 Policy Statements
7.3.1 Secure Development Practices
- OWASP Integration: Development incorporates OWASP Top 10 vulnerability awareness and mitigation. Developers receive training on secure coding.
- Version Control: All code managed through Git with branch protection preventing direct production changes, mandatory code review, and automated test requirements before merging.
- Code Review: All changes undergo peer review evaluating quality, security, performance, error handling, and test coverage.
7.3.2 CI/CD Pipeline
Automated validation includes unit tests, integration tests, functional tests, security tests (SAST, DAST), performance tests, code quality checks, and dependency vulnerability scanning. Code failing tests does not proceed to production.
7.3.3 Pre-Production Testing
All changes tested in a staging environment mirroring production. Testing validates functionality, performance, security, compatibility, and rollback procedures.
7.3.4 Change Process
Changes classified as:
- Standard: pre-approved, low-risk
- Normal: requiring evaluation and approval
- Emergency: rapid implementation for critical issues
Change requests must document description, impact, implementation plan, testing, and rollback procedures.
7.3.5 Customer Notification
Customers receive advance notification of significant changes per contract terms (typically 5–14 business days) including change description, impact, scheduled window, and support contact information.
7.4 Compliance
Supports ISO/IEC 27001:2022 (A.8.32), ISO/IEC 20000-1, SOC 2 Type II (CC8.1), NIST SP 800-53 (CM-3, CM-4), and ITIL best practices.