AI06 Process Description

AI06: Change Management

Description

Controls

KGI

KPI

CSF

Maturity Levels

1. Description

The analysis, implementation and follow-up of all changes requested and made to the existing IT infrastructure.

2. Control Objectives

Change Request Initiation And Control: initiate and process Requests for Change
Impact Assessment - structured assessment of all possible impacts on the operational system and its functionality of a Change Request
Control Of Changes - all requests for changes, system maintenance and supplier maintenance are standardized and are subject to formal change management procedures. Changes should be categorized and prioritized and specific procedures should be in place to handle urgent matters.
Emergency Changes - expedited change processes resultant from the need to implement a change as soon as possible
Documentation And Procedures - whenever system changes are implemented, the associated documentation and procedures are updated accordingly.
Authorized Maintenance: ensure ongoing maintenance with established maintenance periods which minimize overall system disruption. maintenance personnel have specific assignments and that their work is properly monitored. In addition, their system access rights should be controlled to avoid risks of unauthorized access to automated systems.
Software Release Policy - the release of software is governed by formal procedures ensuring sign-off, packaging, regression testing, hand-over, etc.
Distribution of Software - establish specific internal control measures to ensure the distribution of the correct software element to the right place, with integrity, and in a timely manner with adequate audit trails.

3. Key Goal Indicators

Reduced number of errors introduced into systems due to changes
Reduced number of disruptions (loss of availability) caused by poorly managed change
Reduced impact of disruptions caused by change
Reduced level of resources and time required as a ratio to number of changes
Number of emergency fixes

4. Key Performance Indicators

Number of different versions installed at the same time
Number of software release and distribution methods per platform
Number of deviations from the standard configuration
Number of emergency fixes for which the normal change management process was not applied retroactively
Time lag between the availability of the fix and its implementation
Ratio of accepted to refused change implementation requests

5. Critical Success Factors

Change policies are clear and known and they are rigorously and systematically implemented
Change management is strongly integrated with release management and is an integral part of configuration management
There is a rapid and efficient planning, approval and initiation process covering identification, categorisation, impact assessment and prioritisation of changes
Automated process tools are available to support workflow definition, pro-forma workplans, approval templates, testing, configuration and distribution
Expedient and comprehensive acceptance test procedures are applied prior to making the change
A system for tracking and following individual changes, as well as change process parameters, is in place
A formal process for hand-over from development to operations is defined
Changes take the impact on capacity and performance requirements into account
Complete and up-to-date application and configuration documentation is available
A process is in place to manage co-ordination between changes, recognising interdependencies
An independent process for verification of the success or failure of change is implemented
There is segregation of duties between development and production

6. Service Maturity Variations

0 Non-existent	There is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for both IT and business operations, and no awareness of the benefits of good change management.
1 (Initial/Ad Hoc)	It is recognized that changes should be managed and controlled, but there is no consistent process to follow. Practices vary and it is likely that unauthorized changes will take place. There is poor or non-existent documentation of change and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.
2 (Repeatable but Intuitive)	There is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change. There is considerable inefficiency and rework.
3 (Defined Process)	There is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, but compliance is not enforced. The defined process is not always seen as suitable or practical and, as a result, workarounds take place and processes are bypassed. Errors are likely to occur and unauthorised changes will occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies.
4 (Managed and Measurable)	The change management process is well developed and consistently followed for all changes and management is confident that there are no exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation is becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process re-design.
5 Optimized	The change management process is regularly reviewed and updated to keep in line with best practices. Configuration information is computer based and provides version control. Software distribution is automated and remote monitoring capabilities are available. Configuration and release management and tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.