Change Management

Document ID: DPWAT-ISMS-PROC-003
Version: 1.0
Owner: Process Owners (RA) + Administrator — Anna Boros; Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)

1. Purpose

Ensure changes to systems and services are controlled to reduce unintended security and availability impacts.

2. Change types

• Standard change: low risk, repeatable (e.g., adding a user to a project repo).
• Normal change: planned change requiring review (e.g., new tool, configuration change).
• Emergency change: urgent change to restore service or address an active issue.

3. Minimum requirements

• Identify the change, reason, and impacted systems.
• Assess risk and include rollback plan where applicable.
• Obtain approval based on impact (Process Owner/CISO/Administrator).
• Record evidence of approval and implementation (ticket, pull request, email).

3.1 Segregation of duties (where feasible)

• For high-risk changes, approval must be by a different person than the implementer (e.g., pull request approval, ticket approval, or written approval).
• For emergency changes, a retrospective review by another Administrator/CISO should be recorded as soon as feasible.

See 03.15-segregation-of-duties-and-dual-control-policy.

4. Post-implementation review

• Verify that the change was applied successfully and meets objectives.
• For significant changes, document lessons learned if applicable.
• If issues arise, follow incident management and record corrective actions.

5. Stakeholder communication

• Notify affected stakeholders via Slack or email (e.g., environment updates, critical issues, planned downtime).
• For changes significantly affecting roles or procedures, provide appropriate guidance or training.

6. Evidence

Use template-change-request for non-trivial changes and store records in 07-records/.