1. Document Control

• Document Title: Change Management Policy

• Document Identifier: POL-ALL-007

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Information Officer>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Change Management Policy is to establish a structured approach for managing changes to 's information systems, infrastructure, applications, and associated processes. The policy is designed to minimize the risk of service disruptions, security breaches, and compliance failures arising from unauthorized or improperly executed changes.

Change management is essential to ensure that all modifications to IT environments are thoroughly assessed, approved, tested, and documented. This policy supports the organization’s efforts to remain operationally stable while enabling continuous improvement and technological evolution. It is aligned with ISO/IEC 27001:2022 Control A.8.32 and SOC 2 Trust Criteria CC8.1 and CC8.2, both of which require formalized change control processes to maintain the integrity and availability of systems and services.

3. Scope

This policy applies to all personnel involved in initiating, approving, planning, executing, testing, or reviewing changes within ’s IT environment. It covers:

• Software updates, patches, and releases

• Infrastructure changes (network, server, storage)

• Configuration changes

• Cloud services and application deployments

• Security controls and firewall adjustments

• Emergency or out-of-band changes

The policy applies across all production, staging, and development environments in all geographic locations operated by or its third-party service providers.

4. Policy Statement

All changes to 's IT systems must adhere to the following principles:

1. Change Classification: Changes must be categorized as standard, emergency, or normal, with corresponding approval and documentation levels.

2. Change Authorization: No change may be implemented without prior review and approval by the appropriate Change Advisory Board (CAB) or designated authority.

3. Risk Assessment: Each change must undergo a risk and impact analysis to determine its potential effect on operations, security, compliance, and stakeholders.

4. Testing: All non-emergency changes must be tested in a controlled environment prior to deployment.

5. Communication: Affected parties must be informed of changes in advance, with appropriate notices and support instructions.

6. Documentation: A complete change record must be maintained in the Change Management System, including purpose, approvals, execution logs, and backout plans.

7. Review: Post-implementation reviews are required for high-impact or failed changes to assess root cause and corrective actions.

5. Safeguards

The following safeguards support secure and auditable change management:

Standard changes (routine and low-risk) may be pre-approved with documented controls and subject to periodic audit.

6. Roles and Responsibilities

• Chief Information Officer (CIO): Overall accountability for change management governance and oversight.

• Change Manager: Manages the change calendar, facilitates CAB meetings, and ensures policy compliance.

• Change Requestor: Initiates the change, provides documentation, and conducts risk assessments.

• CAB (Change Advisory Board): Reviews, approves, or rejects proposed changes based on risk and impact.

• System Owners and SMEs: Provide technical input and validate testing and rollback plans.

• IT Operations: Executes approved changes and monitors systems for post-deployment issues.

7. Compliance and Exceptions

Compliance is enforced through regular audits, monitoring of CMS records, and change logs. Automated alerts notify the compliance team of unauthorized or out-of-process changes. Metrics tracked include:

• Percentage of successful vs. failed changes

• Number of emergency changes

• SLA adherence for approvals and testing

Exceptions must be formally requested and approved by the CIO or delegated authority. All exceptions are subject to documented risk mitigation and quarterly review.

8. Enforcement

Violations of this policy may result in:

• Revocation of system access

• Mandatory retraining

• Formal disciplinary action up to termination

• Contractual penalties for third-party breaches

In cases where change-related failures lead to service outages, data loss, or regulatory violations, external reporting and legal actions may be triggered.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-003: Access Control Policy

• PRC-ALL-010: Change Management Workflow

• ISO/IEC 27001:2022 A.8.32

• SOC 2 Trust Criteria: CC8.1, CC8.2

10. Review and Maintenance

This policy will be reviewed annually or in response to major incidents, audit findings, or changes to regulatory requirements. The Change Manager will coordinate the review with stakeholders and publish approved updates in the corporate policy repository.