Change management (draft)

This page defines a draft “change management” approach for ISO readiness: how we request, approve, implement, and review changes.

Scope

Keep this page focused on how changes are controlled (traceability + approvals). Technical runbooks live under /infra/operations/.

Policy anchors

• Access changes: Access control policy
• Security events: Incident response procedure
• Vulnerability-driven changes: Vulnerability management procedure

Change types (draft)

• Standard change: low risk, repeatable, pre-approved pattern
• Normal change: planned, needs review/approval
• Emergency change: urgent (outage/security), approval may be after-the-fact

Minimum fields (draft)

Every tracked change should capture:

• description and rationale
• affected services/environments (link to canonical docs)
• risk/impact assessment (brief)
• approval (who/when)
• implementation steps and rollback plan (where applicable)
• validation results

Post-change review (draft)

• Document outcome and any follow-ups.
• If the change was incident-driven, link to the incident record and lessons learned.

Records / evidence

• Change request/approval record:
• Implementation notes and validation results:
• Rollback (if used) and post-change follow-ups:

Related

Reference Secure development Infrastructure operations