2026-03-08
By Emre SalmanogluChange Management: The Complete Guide for Compliance and Security Teams
Learn how to implement change management that satisfies ISO 27001, SOC 2, NIS2, and DORA requirements. Covers change control processes, CAB reviews, risk assessment, rollback planning, and compliance evidence.
change management
change control
ITIL
compliance
cybersecurity
What Is Change Management?
Change management is the structured process for controlling modifications to IT systems, applications, infrastructure, and configurations. It ensures that changes are planned, reviewed, approved, tested, and documented before implementation, minimising the risk of security incidents, service disruptions, and compliance violations.
For compliance-driven organisations, change management is a core control required by ISO 27001, SOC 2, NIS2, and DORA, with auditors specifically examining change records, approval workflows, testing evidence, and rollback procedures.
Change Types
| Type | Description | Approval | Examples |
|---|---|---|---|
| Standard | Pre-approved, low-risk, routine changes | Pre-approved model | Approved patches, user provisioning, backup changes |
| Normal | Planned changes requiring assessment and approval | CAB or designated approver | New application deployment, infrastructure changes |
| Emergency | Urgent changes to resolve critical issues | Emergency change authority | Critical security patches, incident response changes |
Change Management Process
| Phase | Activities | Output |
|---|---|---|
| Request | Submit change request with business justification | Change request record |
| Assessment | Evaluate risk, impact, and dependencies | Risk assessment and categorisation |
| Review | Technical review and security assessment | Review findings and recommendations |
| Approval | CAB or designated authority approves or rejects | Approval decision with conditions |
| Planning | Schedule implementation, prepare rollback plan | Implementation plan with rollback procedures |
| Testing | Test in non-production environment | Test results and sign-off |
| Implementation | Execute change during approved window | Implementation logs |
| Verification | Confirm change successful, no adverse effects | Post-implementation review |
| Closure | Document outcome, update CMDB, close ticket | Completed change record |
Change Risk Assessment
| Risk Factor | Low | Medium | High |
|---|---|---|---|
| Systems affected | Single non-critical system | Multiple systems or one critical system | Core infrastructure or multiple critical systems |
| Users impacted | < 10 users | 10-100 users | > 100 users or all users |
| Rollback complexity | Simple, automated rollback | Manual rollback with documented steps | Complex rollback requiring extended downtime |
| Testing coverage | Fully tested, proven procedure | Tested in staging | Limited or no testing possible |
| Change window | Standard maintenance window | Extended maintenance window | No suitable maintenance window |
Separation of Duties
| Role | Responsibility | Cannot Also Be |
|---|---|---|
| Change requester | Submits and justifies the change | Approver of same change |
| Change reviewer | Assesses technical risk and impact | Sole implementer without review |
| Change approver | Authorises implementation | Requester of same change |
| Change implementer | Executes the approved change | Approver of same change |
| Change verifier | Confirms successful implementation | Sole implementer without verification |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Change management process | A.8.32 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
| Separation of duties | A.5.3 | CC6.1 | Art. 21(2)(i) | Art. 9(4) |
| Testing before deployment | A.8.29 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
| Rollback procedures | A.8.32 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
| Change documentation | A.8.32 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Change management policy | Documented process with roles and approval workflows | All frameworks |
| Change records | Complete history of all changes with approvals | All frameworks |
| CAB meeting minutes | Documentation of change review and approval decisions | All frameworks |
| Test results | Evidence of pre-deployment testing | All frameworks |
| Rollback procedures | Documented rollback plans for each significant change | All frameworks |
| Post-implementation reviews | Evidence of verification after change deployment | ISO 27001, SOC 2 |
| Emergency change records | Retrospective documentation of emergency changes | All frameworks |
Change Management Metrics
| Metric | Target | Description |
|---|---|---|
| Change success rate | > 95% | Percentage of changes implemented without incident |
| Emergency change rate | < 10% | Percentage of changes classified as emergency |
| Change-related incidents | < 5% | Percentage of incidents caused by changes |
| Mean time to implement | Per SLA | Average time from approval to implementation |
| Rollback rate | < 5% | Percentage of changes requiring rollback |
| Documentation completeness | 100% | Percentage of changes with complete records |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| No formal change process | Uncontrolled changes introduce vulnerabilities | Implement documented change management process |
| Bypassing approval for convenience | Unauthorised changes cause incidents | Enforce approval workflows, track exceptions |
| No rollback planning | Failed changes cause extended outages | Require rollback plan for every significant change |
| Same person requests and approves | No oversight, separation of duties violation | Enforce separation of duties in change workflow |
| No post-implementation review | Failed changes go undetected | Require verification for all changes |
| Emergency changes not documented | Audit gaps, untracked system modifications | Retrospective documentation within 24-48 hours |
How Orbiq Supports Change Management Compliance
Orbiq helps you demonstrate change management controls:
- Evidence collection — Centralise change policies, approval records, and test results
- Continuous monitoring — Track change management metrics and compliance
- Trust Center — Share your change management posture via your Trust Center
- Compliance mapping — Map change controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Patch Management — Change control for security patches
- DevSecOps — Automated change management in CI/CD
- Incident Response — Emergency changes during incidents
- Risk Management Frameworks — Risk assessment for changes
- Continuous Monitoring — Monitoring change compliance