Change Management
Domain 3 — Information Systems Acquisition, Development and Implementation
Definition
Change management is the formal process for controlling modifications to IT systems, infrastructure, and applications. It includes change request submission, impact assessment, approval, testing, implementation, and post-implementation review. Effective change management prevents unauthorised changes that could introduce security vulnerabilities, system instability, or control failures.
Real-World Audit Scenario
During an audit of a bank's core banking system, I noticed that production changes were being made without documented approvals. Developers had direct access to the production environment and routinely applied patches, configuration changes, and even code modifications without going through the change advisory board. In one instance, a developer applied a database optimisation script that accidentally dropped an index, causing the online banking system to slow down by 400% for 6 hours before the issue was identified and reversed.
Common Exam Trap
The exam often presents a scenario where an emergency change bypassed normal controls. The correct answer is not "ban emergency changes" — it is "ensure emergency changes are retrospectively approved and reviewed within a defined timeframe."
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →