1. Document Control

• Document Title: Change Request and Approval Procedure

• Document Identifier: PRC-IT-010

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Director of IT Operations>

• Approved By: <Change Advisory Board (CAB)>

2. Purpose

The purpose of this procedure is to define a standardized, auditable process for requesting, reviewing, approving, and implementing changes to ’s IT systems, applications, and infrastructure. Proper change management ensures system integrity, minimizes risk to business operations, and supports traceability and accountability.

This procedure is required to meet SOC 2 Trust Services Criteria CC8.1 and CC8.2, which mandate the use of formal change control practices to maintain system reliability, security, and availability. It is also aligned with ISO 27001:2022 Control A.8.32.

3. Scope

This procedure applies to all changes involving production systems, cloud environments, software applications, databases, network infrastructure, and critical configuration elements across 's IT estate. Changes to code, infrastructure-as-code (IaC), system configurations, access rights, and third-party integrations fall under this procedure.

Excluded from this procedure are documented emergency changes (subject to retrospective review) and changes in isolated test environments without production access.

4. Policy Statement

shall follow a formal change control process comprising:

1. Submission: All change requests must be submitted through the IT Service Management (ITSM) tool with appropriate documentation.

2. Categorization: Changes are classified as standard, normal, or emergency, with distinct approval paths.

3. Impact Analysis: Each change is assessed for technical, security, and business impact.

4. Review & Approval: All normal and emergency changes must be reviewed and approved by the Change Advisory Board (CAB) or designated approvers.

5. Pre-Implementation Checks: Backout plans, stakeholder notifications, and downtime schedules must be verified before change execution.

6. Implementation: Changes are deployed in alignment with the approved window, and status is logged in the change ticket.

7. Validation: Post-change testing and user verification are required to confirm success.

8. Closure: Tickets are formally closed with results, lessons learned, and any remediation notes.

All changes must be traceable and linked to incident tickets, service requests, or business needs.

5. Safeguards

6. Roles and Responsibilities

• Change Requester: Initiates the request, performs impact analysis, and prepares documentation.

• CAB (Change Advisory Board): Reviews and approves/rejects change requests based on risk, timing, and dependencies.

• IT Operations Team: Implements infrastructure-related changes and updates CMDB.

• DevOps/Engineering: Deploys code or configuration changes through approved CI/CD pipelines.

• Information Security: Reviews security-impacting changes and ensures compliance with policies.

• Compliance/Audit: Verifies documentation, audit trail, and effectiveness of the change control process.

7. Compliance and Exceptions

Compliance is enforced through ITSM audit logs, CAB meeting minutes, and periodic change review audits. Unauthorized or unlogged changes are treated as critical compliance violations and subject to disciplinary review.

Exceptions—such as emergency changes or fixes during outages—must be logged retroactively, approved post-implementation, and documented with risk assessment and backout validation. All exceptions are reviewed monthly by the CAB.

8. Enforcement

Deliberate bypassing of the change approval process, failure to log changes, or implementation of unauthorized modifications will result in disciplinary action. Penalties may include formal warnings, revocation of change privileges, or termination depending on the severity.

Contractors or vendors who violate change protocols may face penalties, loss of access, or contract termination.

9. Related Policies/Documents

• POL-ALL-009: Change Management Policy

• PRC-ALL-010: Configuration Management Procedure

• SOC 2 Criteria: CC8.1 (System Change Procedures), CC8.2 (Authorization and Documentation)

• ISO/IEC 27001:2022 Control A.8.32

• CMDB (Configuration Management Database) Guidelines

• Emergency Change Review Log

• Weekly CAB Meeting Agenda and Checklist

10. Review and Maintenance

This procedure shall be reviewed annually or when significant changes to systems, personnel, or change tooling occur. The Director of IT Operations is responsible for initiating the review and ensuring all change-related documentation is updated accordingly.