RISM08 Change Management Policy

UCL Research Data Information Security Management System Change Management Policy #

Document Name: RISM08-Change_Management_Policy

Classification: Public

Author: Tim Machin

version: 1.1

Created: 10/02/2025

Last Review: 10/02/2025

Last Reviewed by: Victor Olago

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 Years

1. Document Overview #

The purpose of this policy is to define the requirements for managing change. Any processes used to manage changes in specific Environments shall adhere to this policy. Changes to any supporting IT services should also adhere to this policy.

3. Scope #

This policy applies to all departments, personnel, contractors, and third parties involved in the development, management, or modification of information systems, applications, and infrastructure with the scope of the Research Data Information Security Management System (ISMS). This includes but is not limited to changes affecting:

  • Software
  • Documented information (including policy and procedures)
  • Hardware and network infrastructure
  • Security controls and configurations

4. Managing Change #

All changes should consider and document the following in a change record. Change records shall be retained and made available to the Operational Management Group on request:

1. Purpose

  • What is the reason for the change?

2. Scope

  • What services, processes, environment or component will change?

3. Impact

  • How will this affect the users and/or organisation?

4. Risk assessment

  • What is the risk during or after the change?
  • How will these risks be mitigated?

5. Schedule

  • When will the change happen?

6. Test plan

  • What is the test plan pre and post change?

7. Communication plan

  • How will the users be notified of the change/disruption?

8. Contingency/Rollback plans

  • How will service be restored if the change fails?

9. Authorisation

  • Who authorised the change?

4. Change Types #

Changes should be classified according to the following definitions. Each change type should have a documented approval chain:

  • Standard Change: A pre-defined, reproducible, repeatable change, for example the deployment of a project within a TRE.

  • Emergency Change: A change made to resolve or mitigate the effect of an incident.

  • Normal Change: Any change not classed as standard or emergency, for example a non-urgent defect fix or new feature.