Change Management
57% complete
3 sections left
Back to Courses
Chapter 1: Introduction to Change Management for vCISOs
Chapter 2: Establishing a Change Management Process
Chapter 3: Risk Assessment and Impact Analysis
Chapter 4: Planning and Implementing Changes
Chapter 5: Communication and Stakeholder Engagement
Chapter 6: Incident Response and Change Management
Change Management: Key Takeaways & Conclusion

Chapter 4: Planning and Implementing Changes

An effective change management plan outlines the process for executing approved changes while minimizing disruptions and ensuring operational continuity. Once a change request is approved, the focus shifts to planning and implementing the change. Key considerations include:

Scheduling Changes to Minimize Disruptions

Predefined schedules

Establish clear timeframes for implementing changes, such as during maintenance windows or on designated days of the week. This ensures that changes occur during low-impact periods, reducing disruptions to business operations.

Change board meetings
Blackout periods

As discussed, some businesses may choose to restrict changes for critical systems to specific days of the week or times of day. For example, in high-stakes environments, updates may only occur on low-traffic days to reduce risks associated with downtime. These decisions are often documented in the change management policy.

Critical System Changes

Planning for high-impact systems: Changes to critical systems should be scheduled during periods of minimal business activity. For example, updates to production servers might be limited to weekends or overnight hours to ensure they do not disrupt ongoing operations.

Stakeholder input: Incorporate input from all relevant stakeholders, including system administrators, security teams, and project managers. This prevents overlapping changes and ensures resources are available to handle potential issues.

Documentation and Auditability

  • Change logs: All changes must be logged, including details from the change request forms. For instance, track who initiated the request, what systems are affected, and when the change is scheduled to occur.
  • Meeting minutes: Keep detailed records of CAB meetings, highlighting approval decisions, identified risks, and any special instructions.
  • Compliance evidence: Documentation not only supports troubleshooting but also serves as proof during compliance audits. As emphasized in the transcript, these records demonstrate the organization’s intent to operate securely and with due care, which is critical for regulatory purposes and cyber insurance claims.

Implementation Procedures

  • Step-by-step instructions: Each change should include a detailed plan that specifies how it will be executed, who is responsible, and any prerequisites or dependencies. For example, when onboarding new software, ensure the steps account for system compatibility and data migration.
  • Contingency plans: Include rollback or undo plans in case the change has unintended consequences. As discussed in the transcript, failing to plan for failures leads to extended downtimes and operational chaos. For example, rolling out a major software update without testing could disrupt critical applications, requiring a backout plan to restore stability.
  • Proactive monitoring: During the change window, increase monitoring of affected systems to quickly identify and address issues. For high-impact changes, ensure that a response team is on standby.

Changes, especially to critical systems, often have unintended consequences. For example, a Microsoft 365 administrator might implement a configuration change to improve Multi-Factor Authentication (MFA) timeout settings, only to inadvertently lock out all users. Such incidents highlight the importance of robust change management processes in assessing potential dependencies and minimizing risks.

By carefully planning and implementing changes within a structured framework, organizations can maintain control over their IT environment, reduce the risk of errors, and enhance accountability across teams. Additionally, the inclusion of clear documentation and well-defined contingency plans ensures the organization can quickly recover from any unforeseen issues.

Handling Resistance to Change

Resistance to change management often arises because it is perceived as a roadblock to productivity. IT professionals accustomed to making quick fixes, such as “checking a box” on a server, may be frustrated by workflows that turn a two-minute task into a two-week approval process. However, this resistance underscores the need for effective governance and oversight to prevent unintended consequences.

Strategies to Overcome Resistance

Scenario-based education

During initial assessments or risk evaluations, demonstrate the potential risks of unmanaged changes through relatable examples. For instance:

  • Ask stakeholders if they’ve experienced a situation where a quick configuration change unintentionally caused significant downtime.
  • Highlight scenarios where the absence of oversight led to vulnerabilities, outages, or increased support costs.

These examples make the consequences of bypassing change management tangible and emphasize its importance in preventing costly mistakes.

Reframing the process as peer review
Highlighting the separation of duties

While resistance often stems from the inconvenience of perceived “roadblocks,” these measures safeguard the organization against unintended consequences. Governance adds structure and accountability, ensuring that changes are deliberate, well-considered, and documented. By proactively addressing resistance with education, reframing, and clear oversight, organizations can foster a culture of collaboration and risk awareness, ensuring that change management is viewed as a necessary safeguard rather than an unnecessary obstacle.

« Previous Chapter Next »