<Organization> requires an adaptive and responsive change management capability that meets the business’s need for timely and effective implementation of changes to meet rapidly evolving business needs and maintain a stable and secure IT infrastructure.

This document describes <organization’s> expectations for IT change management for the efficient and effective management of the IT changes required to maintain an IT infrastructure suitable to meet the evolving needs of <organization>.

The scope of this policy is all changes to production IT services, regardless of request source, size, initiator or implementer, implementing or overseeing those changes.

Note that changes to the development and test environment are not subject to this policy.

All changes will be managed in compliance with the spirit and intent of this policy.

All changes must be proposed and reviewed prior to beginning development.

Once a change has been developed and tested, it must be reviewed and approved before release into the production environment.

Emergency changes are provided for in this policy. Emergency changes are those that are required for incidents that have significant impact on the company’s finances or public perception, or can result in risk to life or bodily harm.

Emergency changes require the existence of a major incident, with an incident manager directing remediation efforts. The incident manager works in close coordination with the change manager to ensure emergency changes receive due oversight and are approved by the appropriate change authority.

Standard changes are changes that are pre-approved, and are implemented as needed in daily operations.

Standard changes are a form of delegated change authority, granted upon a CAB review and the change manager approving the proposed process for handling them.

Standard changes must be implemented in a way that is materially consistent with the approved procedure.

If incidents or operational issues arise from standard changes, the change manager may request a review of the process and, in conjunction with the CAB, recommend changes to the process. Standard changes can be revoked by the change manager.

Because of the high potential for negative impact on IT services and infrastructure stability, all changes must be approved by change management.

All changes that have not been properly reviewed and approved are considered unauthorized.

Unauthorized changes discovered will be treated as an incident, and are generally rolled back, unless it is determined that doing so will have undue negative impact on the business.

In all cases, staff found responsible for unauthorized changes may be disciplined, as per company policy.

Periodic change windows shall be established in conjunction with the business for the purpose of system maintenance and change implementation.

There shall be both monthly and weekly release windows (for major applications/services and for periodic maintenance/minor releases, respectively).