Sign up for our newsletter

Thank you! Your submission has been received!

Close
Oops! Something went wrong while submitting the form.

Change Control Policy | Policy Template Download

Purpose

The purpose of the (District/Organization) Change Control Policy is to establish the rules for the creation, evaluation, implementation, and tracking of changes made to (District/Organization) Information Resources.

Audience

The (District/Organization) Change Control Policy applies to any individual, entity, or process that create, evaluate, and/or implement changes to (District/Organization) Information Resource.

Policy

  • Changes to production (District/Organization) Information Resources must be documented and classified according to their:
    • Importance,
    • Urgency,
    • Impact, and
    • Complexity.
  • Change documentation must include, at a minimum:
    • Date of submission and date of change,
    • Owner and custodian contact information,
    • Nature of the change,
    • Change requestor,
    • Change classification(s),
    • Roll-back plan,
    • Change approver,
    • Change implementer, and
    • An indication of success or failure.
  • Changes with a significant potential impact to (District/Organization) Information Resources must be scheduled.
  • (District/Organization) Information Resource owners must be notified of changes that affect the systems they are responsible for.
  • Authorized change windows must be established for changes with a high potential impact.
  • Changes with a significant potential impact and/or significant complexity must have usability, security, and impact testing and back out plans included in the change documentation.
  • Change control documentation must be maintained in accordance with the (District/Organization) Information Retention Schedule.
  • Changes made to (District/Organization) customer environments and/or applications must be communicated to customers, in accordance with governing agreements and/or contracts.
  • All changes must be approved by the Information Resource Owner, Director of Information Technology, or Change Control Board (if one is established).
  • Emergency changes that require an immediate implementation (i.e. break/fix, incident response, etc.) may be implemented without following the formal change control process, but may not circumvent documentation requirements, even if documented after the change.

Definitions

See Appendix A: Definitions

References

  • ISO 27002: 12.1.2
  • NIST CSF: PR.IP-3
  • (District/Organization) Network Management Policy

Waivers

Waivers from certain policy provisions may be sought following the (District/Organization) Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Please fill out the form below to access your free download.

Thanks! Your download is ready.

Download
Oops! Something went wrong while submitting the form.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS