Domain 1 · 1.3 Change Management

1.3.1 Business Processes

Approval, ownership, stakeholders, impact analysis.

11 min

Change Management = organizational process making every IT/security change controlled, documented, and safe.

Most incidents come from bad changes, not attackers → formal CM protects CIA and business continuity.

Core elements

  • Approval process → every change reviewed & authorized
  • *Exam cue:* firewall changed without approval → missing approval process
  • Ownership → clear person/team responsible for the system
  • Stakeholders → all affected parties (IT, security, mgmt, users, partners)
  • Impact Analysis → effects on systems, dependencies, downtime, compliance, existing controls
  • Test Results → proof from staging / lab (functional, regression, security, pen test)
  • Backout Plan (Rollback) → steps to return to previous state if it fails
  • *Exam cue:* "best way to minimize risk of a failed update" → backout plan
  • Maintenance Window → planned low-impact time (night/weekend)
  • Standard Operating Procedure (SOP) → step-by-step, repeatable instructions

Exam shortcut

  • Approval = authorization
  • Ownership = responsibility
  • Stakeholders = all affected parties
  • Impact analysis = consequences
  • Test results = safe to deploy
  • Backout plan = rollback safety net
  • Maintenance window = minimize disruption
  • SOP = standardized & repeatable