Do you have a documented change management process?
Explanation
Change management discipline is the focus here: assessors look for a formal, documented process governing changes to your IT systems, applications, infrastructure, and other technology assets.
A change management process is a structured approach to transitioning from the current state to a desired future state. In IT contexts, this typically refers to how modifications to systems, software, hardware, networks, or procedures are proposed, reviewed, approved, implemented, and verified.
Why it's asked in security assessments:
- Uncontrolled changes can introduce security vulnerabilities or system instabilities
- Proper change management ensures changes are tested before deployment
- Documentation creates accountability and traceability for all changes
- It demonstrates organizational maturity and risk awareness
- Many compliance frameworks (like ISO 27001, NIST, SOC 2) require formal change management
A good answer should:
- Confirm the existence of a documented process
- Briefly outline the key elements of your change management process
- Mention any tools used to track changes
- Note how changes are reviewed for security implications
- Indicate if the process is regularly reviewed and updated
Even if your process is simple, having documentation that shows a thoughtful approach to managing changes is important for security assessments.
Example Responses
Example Response 1
Yes, our organization maintains a comprehensive change management process documented in our Information Security Policy (Section 8.2) and detailed in our Change Management Procedure (CMP-001) The process includes formal change requests through our JIRA ticketing system, risk assessment for each change, approval workflows based on change type and impact, pre-implementation testing requirements, scheduled implementation windows, post-implementation verification, and rollback procedures All changes undergo security review by our security team for potential vulnerabilities or compliance impacts The process is audited annually and was last updated in January 2023 following our ISO 27001 certification.
Example Response 2
Yes, we have a documented change management process that is appropriate for our organization size Our process is outlined in our IT Operations Manual and includes: (1) Change request submission via our ServiceNow portal, (2) Technical and business impact assessment, (3) Change Advisory Board review for significant changes, (4) Testing requirements based on change classification, (5) Implementation scheduling with appropriate notifications, and (6) Post-implementation review For emergency changes, we have an expedited process that still requires documentation and post-implementation review All changes are logged and reviewed quarterly to identify trends and process improvements.
Example Response 3
No, we currently do not have a formally documented change management process As a small startup with only five developers, we've been managing changes informally through team discussions and our GitHub pull request system We recognize this is a gap in our security posture, and we're in the process of developing a formal change management policy and procedures We expect to have this documentation completed and implemented within the next 60 days In the interim, we are using a basic change log spreadsheet to track all system modifications and have implemented mandatory peer reviews for all code changes.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
- Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?

