Change Management Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Field | Details |
|---|---|
| Document Type | Policy |
| Document Reference | SP-CMP-004 |
| Version | 1.3 |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Introduction¶
Change management is the process by which all changes to Simpaisa's IT infrastructure, systems, applications, and services are requested, evaluated, approved, implemented, and reviewed. This policy establishes a structured approach to change management to minimise the risk of disruption to business operations and to ensure that changes are implemented in a controlled and auditable manner.
This policy applies to all changes to Simpaisa's IT environment, including hardware, software, network, cloud services, and security configurations.
Categories of Changes¶
Normal Changes¶
Normal changes are pre-planned, low-risk changes that follow the standard change management process. These changes must be approved by the Change Advisory Board (CAB) before implementation.
Emergency Changes¶
Emergency changes are required to resolve a critical incident or security vulnerability that poses an immediate risk to the business. Emergency changes may be approved by the Emergency Change Advisory Board (E-CAB) outside of regular CAB meetings. Emergency changes must be reviewed and formally closed after implementation.
Security Patches¶
Security patches are changes applied to address known vulnerabilities in software or systems. Security patches shall be assessed, prioritised, and applied in accordance with Simpaisa's vulnerability management procedures. Critical security patches shall be applied within defined SLA timeframes.
Major Changes¶
Major changes are significant changes to the IT environment that carry a high level of risk or complexity. Major changes require a full impact assessment, a back-out plan, and CAB approval before implementation.
Change Management Process¶
Process Diagram¶
The change management process follows these key stages:
-
Change Request — A change is identified and formally requested
-
Assessment — The change is assessed for risk, impact, and resource requirements
-
Approval — The change is reviewed and approved by the CAB or E-CAB
-
Implementation — The approved change is implemented by the change implementer
-
Review and Closure — The change is reviewed post-implementation and formally closed
Process Narrative¶
| Stage | Description | Responsible Party |
|---|---|---|
| Change Identification | A business or technical need is identified that requires a change to the IT environment | Change Initiator |
| Change Request Submission | A formal change request is submitted, including description, justification, risk assessment, implementation plan, and back-out plan | Change Initiator |
| Initial Assessment | The change request is reviewed for completeness and assigned a priority and category | Change Manager |
| CAB Review | The CAB reviews and approves, defers, or rejects the change request | CAB |
| Scheduling | Approved changes are scheduled and communicated to stakeholders | Change Manager |
| Implementation | The change is implemented according to the approved plan | Change Implementer |
| Post-Implementation Review | The change is reviewed to confirm success and close the request | Change Manager |
Process Roles¶
Change Initiator¶
The change initiator is responsible for:
-
Identifying and documenting the need for a change
-
Completing and submitting the change request form
-
Providing all required information for assessment and approval
-
Supporting the implementation and post-implementation review
Change Manager¶
The change manager is responsible for:
-
Managing the end-to-end change management process
-
Reviewing and assessing change requests for completeness
-
Scheduling CAB meetings and managing the change schedule
-
Ensuring changes are implemented and reviewed in accordance with this policy
CAB / E-CAB¶
The Change Advisory Board (CAB) is responsible for:
-
Reviewing and approving or rejecting change requests
-
Assessing the risk and impact of proposed changes
-
Ensuring appropriate stakeholders are consulted before changes are approved
-
Convening as the E-CAB for emergency change approvals
Change Implementer¶
The change implementer is responsible for:
-
Implementing the approved change according to the implementation plan
-
Following the approved back-out plan if the change fails
-
Documenting the implementation outcome
-
Reporting any issues encountered during implementation
Back-Out Procedures¶
All change requests shall include a documented back-out plan that describes the steps required to reverse the change if it fails or causes unintended consequences. The back-out plan shall be tested where practicable before the change is implemented.
RACI Matrix¶
| Activity | Change Initiator | Change Manager | CAB/E-CAB | Change Implementer |
|---|---|---|---|---|
| Submit change request | R | I | I | I |
| Assess change request | I | R | C | C |
| Approve/reject change | I | A | R | I |
| Schedule change | I | R | C | I |
| Implement change | I | A | I | R |
| Post-implementation review | C | R | I | C |
| Close change request | I | R | I | I |
R = Responsible, A = Accountable, C = Consulted, I = Informed
Change Advisory Board¶
CAB Meetings¶
The CAB shall meet on a regular schedule (at minimum weekly) to review and approve pending change requests. CAB membership shall include representation from IT operations, security, and relevant business stakeholders.
CAB meeting outcomes shall be documented and retained as part of the change record.
Changes Notified by Cloud Service Providers (CSPs)¶
Simpaisa shall maintain processes to receive, review, and respond to change notifications from Cloud Service Providers. Changes notified by CSPs that may impact Simpaisa's systems or services shall be assessed and communicated to affected stakeholders.
Reporting¶
Change Schedule¶
The change manager shall maintain and publish a change schedule that lists all approved changes, their planned implementation dates, and current status. The change schedule shall be reviewed at each CAB meeting.
Reports for CAB¶
The following reports shall be prepared for CAB review:
-
List of pending change requests
-
Status of changes in progress
-
Post-implementation review outcomes
-
Metrics including change success rate, emergency change volume, and back-out frequency
Reference Documents¶
| Document | Reference |
|---|---|
| Change Request Form | SP-CMP-004-F01 |
| Back-Out Plan Template | SP-CMP-004-F02 |
| CAB Meeting Minutes Template | SP-CMP-004-F03 |
| Change Schedule | SP-CMP-004-SCH |