Got an idea? A vision?

We want to hear it.

Let’s Chat & Make It Happen

…or email us at hello@bluewhaleapps.com and we’ll follow up promptly!

Change Management Policy

Version: v8.3-A | Effective Date: October 15, 2019

  • Document Created: September 22, 2019
  • Last Reviewed: February 12, 2025
  • Next Review Date: February 2026
  • Approved By: Chief Technology Officer
  • Policy Owner: Security Officer

1.1 Purpose

This Change Management Policy establishes controlled processes for proposing, evaluating, approving, implementing, and reviewing changes to IT systems, applications, infrastructure, and security controls to minimize disruption risk, maintain security and stability, and provide audit trails.

1.2 Scope

Applies to all changes affecting production systems, applications, infrastructure, network, and security controls. Excludes routine operational tasks, emergency security patches (retroactive documentation required), and pre-approved standard changes.

1.3 Policy Statements

1.3.1 Secure Development Practices

  • OWASP Integration: Development incorporates OWASP Top 10 vulnerability awareness and mitigation. Developers receive training on secure coding.
  • Version Control: All code managed through Git with branch protection preventing direct production changes, mandatory code review, and automated test requirements before merging.
  • Code Review: All changes undergo peer review evaluating quality, security, performance, error handling, and test coverage.

1.3.2 CI/CD Pipeline

Automated validation includes unit tests, integration tests, functional tests, security tests (SAST, DAST), performance tests, code quality checks, and dependency vulnerability scanning. Code failing tests does not proceed to production.

1.3.3 Pre-Production Testing

All changes tested in a staging environment mirroring production. Testing validates functionality, performance, security, compatibility, and rollback procedures.

1.3.4 Change Process

Changes classified as:

  • Standard: pre-approved, low-risk
  • Normal: requiring evaluation and approval
  • Emergency: rapid implementation for critical issues

Change requests must document description, impact, implementation plan, testing, and rollback procedures.

1.3.5 Customer Notification

Customers receive advance notification of significant changes per contract terms (typically 5–14 business days) including change description, impact, scheduled window, and support contact information.

1.4 Compliance

Supports ISO/IEC 27001:2022 (A.8.32), ISO/IEC 20000-1, SOC 2 Type II (CC8.1), NIST SP 800-53 (CM-3, CM-4), and ITIL best practices.

Read Our Reviews