Change Management
29% complete
5 sections left
Back to Courses
Chapter 1: Introduction to Change Management for vCISOs
Chapter 2: Establishing a Change Management Process
Chapter 3: Risk Assessment and Impact Analysis
Chapter 4: Planning and Implementing Changes
Chapter 5: Communication and Stakeholder Engagement
Chapter 6: Incident Response and Change Management
Change Management: Key Takeaways & Conclusion

Chapter 2: Establishing a Change Management Process

A robust change management process is crucial for MSPs and MSSPs offering vCISO services. It ensures security teams maintain visibility, support operational continuity, and align IT and security changes with broader organizational objectives. At the core of effective change management is understanding and documenting all planned IT modifications, along with assessing their potential impacts. 

The change advisory board (CAB) often depends on cybersecurity experts to identify and evaluate risks that may not have been previously considered, helping to ensure that no critical vulnerabilities are overlooked.

For vCISOs, this responsibility extends to evaluating how changes could affect client environments. In some instances, it may be necessary to engage directly with clients to identify the risks associated with a proposed update or modification. This proactive communication fosters transparency, enabling clients to make informed decisions that balance the benefits of a change against potential security risks.

Identifying Key Stakeholders and Roles

The first step is defining who will manage and oversee changes:

Asset owners and custodians

As identified in the asset inventory, these individuals are responsible for maintaining devices or systems, approving changes, and ensuring their ongoing reliability.

IT and security teams
Other departments

Stakeholder roles are crucial in ensuring that all changes are thoroughly vetted and approved by those who understand the potential impact on business operations.

Building a Change Control Board (CCB)

The Change Control Board (CCB) is a cross-functional team responsible for reviewing and approving changes that carry significant implications, particularly those that impact security. The board ensures that changes align with the organization’s cybersecurity goals.

Key Elements Include:

  • Visibility and communication: The CCB ensures visibility into all changes across the environment, reducing the risk of overlapping modifications.
  • Change scheduling: By scheduling changes strategically, the CCB minimizes downtime and operational disruptions.
  • Membership: While the CCB often includes system administrators, project managers, and security teams, smaller MSPs may rely on fewer individuals performing multiple roles.
  • Risk awareness: The CCB raises awareness about changes, their timing, and their potential impact on interconnected systems.

Defining Change Request and Approval Workflows

A formalized workflow ensures consistency and accountability. Key components include:

  1. Defining a change: The policy must clearly outline what constitutes a change. This could range from role-based access adjustments to major system upgrades.
  2. Submission process: Changes are submitted through a centralized platform, such as SharePoint or a ticketing system. Submissions should include details like:
    • Type of change (e.g., minor, major, emergency)
    • Affected systems, departments, and resources
    • Security and operational impact
    • Planned rollback procedures in case of failure
  3. Approval: The CCB evaluates the request, consulting with cybersecurity to assess risks and ensure changes align with security policies.

Creating a Change Management Policy

Aligning change management with security goals ensures that every modification to an IT environment supports the organization’s overall security posture. A robust policy underpins the change management process, outlining:

  • Approval thresholds: If a procedure is not documented as part of a Standard Operating Procedure (SOP), it requires approval.
  • Meeting cadence: Define how often the CCB meets to review changes.
  • Change documentation: All changes must be logged to ensure traceability and auditability.

For example, a policy might state:

  • Routine updates: Patch management is SOP and does not require approval.
  • Major changes: Operating system upgrades must be approved by the CCB and cybersecurity team.

Key Benefits of Structured Change Management

Improved security

A structured process ensures changes are evaluated for potential risks to system security and operational continuity.

Enhanced auditability
Due Diligence

Structured change management provides more than just operational benefits—it supports regulatory compliance, enhances security, and builds a stronger foundation for organizational accountability. By establishing a clear change management process, MSPs and MSSPs not only enhance their operational efficiency but also build trust with their clients by demonstrating a commitment to transparency, security, and business continuity.

« Previous Chapter Next »