Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Change Management Policy

Last updated: January 15, 2026

Change Management Policy

Document owner: VP Engineering, with CISO as co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual review; updates as needed for significant process changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

TermDefinition
ChangeAny addition, modification, or removal of anything that could have an effect on IT services, configurations, or infrastructure components
Change ManagementThe process responsible for controlling the lifecycle of all changes, enabling beneficial changes with minimum disruption to IT services
Change Advisory Board (CAB)A group that supports the assessment, prioritization, authorization, and scheduling of changes
Emergency Change Advisory Board (ECAB)A subset of CAB authorized to make rapid decisions on emergency changes
Request for Change (RFC)A formal proposal for a change to be made, containing all information required to assess and approve the change
Change WindowPre-approved time periods during which changes may be implemented with reduced risk
Change FreezeA period during which changes are restricted or prohibited, typically around high-risk business periods
RollbackThe process of reversing a change to restore the previous state
Forward Schedule of Changes (FSC)A schedule containing details of all approved changes and their proposed implementation dates
Post-Implementation Review (PIR)A review conducted after a change has been implemented to verify it has met its objectives
Configuration Item (CI)Any component that needs to be managed to deliver an IT service
Configuration Management Database (CMDB)A database containing information about configuration items and their relationships
Impact AssessmentEvaluation of the potential effects of a proposed change on services, infrastructure, and business operations
Standard ChangeA pre-authorized change that is low risk, relatively common, and follows an established procedure
Normal ChangeA change that follows the standard change management process requiring CAB assessment
Emergency ChangeA change that must be implemented as quickly as possible to resolve an incident or prevent imminent failure
Major ChangeA high-risk or high-impact change requiring extended assessment and executive approval
Blue-Green DeploymentA deployment technique using two identical production environments to enable zero-downtime releases
Canary ReleaseA deployment technique where changes are gradually rolled out to a subset of users before full deployment
Feature FlagA technique allowing features to be enabled or disabled without deploying new code
Immutable InfrastructureInfrastructure components that are replaced rather than modified for changes

Scope and Purpose

This Change Management Policy establishes the processes, controls, and responsibilities for managing changes to Acme Cloud, Inc.'s production systems, infrastructure, applications, and services. The policy applies to all changes that could affect the confidentiality, integrity, or availability of customer data, production services, or security controls. The purpose is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes, minimizing the impact of change-related incidents upon service quality, and improving day-to-day operations.

In-Scope Systems and Changes

CategoryExamplesChange Types
Production ApplicationsCustomer-facing SaaS platform, APIs, web applicationsCode deployments, configuration changes, feature releases
Production InfrastructureAWS resources, databases, networking, load balancersInfrastructure modifications, scaling, region changes
Security SystemsWAF, authentication services, encryption, monitoringSecurity configurations, access control changes, certificate rotations
Database SystemsPostgreSQL (RDS), Redis, ElasticsearchSchema changes, index modifications, replication changes
Integration PointsThird-party APIs, webhooks, SSO configurationsAPI version changes, endpoint modifications, authentication updates
Monitoring & ObservabilityDatadog, alerting rules, dashboardsAlert threshold changes, monitoring coverage changes
Development InfrastructureCI/CD pipelines, build systems, staging environmentsPipeline changes, build configuration, test infrastructure
Corporate ITIdentity providers, productivity tools, access managementUser provisioning, policy changes, tool configuration

Out-of-Scope

CategoryGovernance
Customer-side configurationsCustomer responsibility per shared responsibility model
Development environment (non-production)Standard development practices; not subject to CAB
Documentation updatesContent management processes
Non-technical business processesBusiness process governance

Change Categories and Classifications

Change Type Classification

Change TypeDefinitionApproval AuthorityLead TimeDocumentation
Standard ChangePre-authorized, low-risk, routine changes following established proceduresPre-approved by CABNone requiredTemplate-based RFC
Normal ChangeChanges requiring assessment and approval following standard processCABMinimum 24 hoursFull RFC
Major ChangeHigh-risk or high-impact changes requiring extended reviewCAB + Executive SponsorMinimum 5 business daysFull RFC + Impact Assessment
Emergency ChangeUrgent changes to restore service or prevent imminent failureECAB (reduced quorum)ImmediateRetroactive RFC within 24 hours

Risk Classification Matrix

Risk LevelCriteriaApproval RequirementsRollback PlanTesting Requirements
LowNo customer impact; single component; automated rollback; <5 minutes executionChange LeadAutomatedAutomated tests pass
MediumLimited customer impact; multiple components; manual rollback possible; <30 minutesCAB approvalDocumented manual procedureStaging validation
HighPotential service disruption; critical systems; complex rollback; >30 minutesCAB + CISOTested rollback procedureFull regression
CriticalSecurity impact; data integrity risk; production database changes; irreversibleCAB + CTO + CISOVerified rollback with backupFull regression + canary

Impact Classification

Impact LevelCustomer EffectAffected ScopeExample Changes
MinimalNo noticeable customer impactSingle non-critical componentLog level change, dashboard update
LowDegraded non-critical functionalitySingle feature or endpointMinor UI change, error message update
MediumDegraded critical functionalityMultiple features or single critical systemAPI response format change, authentication flow update
HighService interruption or data access impactCore platform or multiple critical systemsDatabase schema change, infrastructure migration
CriticalComplete service outage or data integrity riskEntire platformMajor version upgrade, security vulnerability remediation

Change Advisory Board (CAB)

CAB Composition

RoleMemberResponsibilitiesVoting
CAB ChairVP EngineeringMeeting facilitation; final decision authority; conflict resolutionYes
Security RepresentativeCISO or designeeSecurity impact assessment; compliance verificationYes
SRE LeadDirector of SREOperations impact; availability assessment; rollback planningYes
Engineering LeadPrincipal Engineer (rotating)Technical assessment; implementation guidanceYes
Product RepresentativeProduct Manager (rotating)Customer impact assessment; release coordinationAdvisory
QA RepresentativeQA LeadTesting coverage assessment; quality verificationAdvisory
ScribeDesignated team memberDocumentation; action trackingNo

CAB Meeting Schedule

Meeting TypeFrequencyDurationQuorum RequirementsPurpose
Regular CABWeekly (Tuesday)60 minutesVP Engineering + 2 voting membersReview and approve normal/major changes
Ad-hoc CABAs needed30 minutesVP Engineering + 1 voting memberUrgent but non-emergency changes
ECABAs triggered15 minutesAny 2 voting membersEmergency change authorization
CAB ReviewMonthly90 minutesAll voting membersProcess review; metrics analysis; improvement planning

CAB Decision Authority

Change TypeApproval RequirementsEscalation Path
Normal (Low Risk)2 voting members including Change LeadVP Engineering
Normal (Medium Risk)CAB majority (3 of 4 voting members)VP Engineering + CISO
MajorCAB majority + Executive SponsorCTO
EmergencyECAB (2 voting members)VP Engineering + CISO
Security-ImpactingMust include CISO approvalCTO
Data Schema ChangesMust include SRE Lead approvalVP Engineering

Change Management Process

Standard Change Process

Standard changes are pre-authorized changes that follow documented procedures and require minimal assessment.

PhaseActivitiesOwnerDuration
IdentificationConfirm change matches standard change catalog entryChange RequesterN/A
RequestCreate RFC using standard change template; auto-approvedChange Requester5 minutes
ImplementationExecute change following documented procedureChange ImplementerPer procedure
VerificationConfirm successful implementation per checklistChange ImplementerPer procedure
ClosureClose RFC; update CMDB if applicableChange Requester5 minutes

Standard Change Catalog

Standard Change IDDescriptionProcedureRisk LevelAuto-Approval
SC-001Deploy application via CI/CD with passing testsCI/CD pipeline executionLowYes
SC-002Certificate rotation (automated)Certificate manager automationLowYes
SC-003Add non-sensitive environment variableEnvironment configuration procedureLowYes
SC-004Scaling within pre-approved parametersAuto-scaling policiesLowYes
SC-005Feature flag toggle (existing flag)Feature flag management procedureLowYes
SC-006Add monitoring alert (non-critical)Alerting configuration procedureLowYes
SC-007Dependency update (patch version)Dependency update procedureLowYes
SC-008DNS record addition (non-critical)DNS management procedureLowYes

Normal Change Process

PhaseActivitiesOwnerTimeline
RequestCreate RFC with required information; assign change leadChange RequesterDay 1
AssessmentImpact assessment; risk classification; rollback planningChange Lead24-48 hours
ReviewTechnical review; security review if applicablePeer reviewer24 hours
AuthorizationCAB review and approvalCABNext CAB meeting
PlanningSchedule implementation; notify stakeholders; prepare rollbackChange LeadPre-implementation
ImplementationExecute change within approved windowChange ImplementerPer schedule
VerificationConfirm successful implementation; execute validation testsChange ImplementerPost-implementation
PIRPost-implementation review for Medium/High riskChange LeadWithin 5 days
ClosureClose RFC; update documentation; communicate completionChange LeadWithin 24 hours

Emergency Change Process

PhaseActivitiesOwnerTimeline
DeclarationDeclare emergency; justify urgency; request ECABIncident CommanderImmediate
ECAB ConveningAssemble available ECAB members (minimum 2 voting)On-call rotation15 minutes
Rapid AssessmentAssess change impact; identify minimum viable changeChange Lead + ECAB15-30 minutes
AuthorizationECAB approval with verbal authorization documentedECABImmediate
ImplementationExecute emergency change with enhanced monitoringChange ImplementerAs needed
StabilizationVerify service restoration; monitor for issuesChange Lead + SREPost-implementation
DocumentationCreate retroactive RFC within 24 hoursChange Lead24 hours
PIRMandatory post-implementation reviewChange LeadWithin 3 days

Request for Change (RFC) Requirements

RFC Information Requirements by Change Type

Information ElementStandardNormalMajorEmergency
Change descriptionRequiredRequiredRequiredPost-hoc
Business justificationTemplateRequiredDetailedPost-hoc
Impact assessmentPre-assessedRequiredExtendedPost-hoc
Risk classificationPre-classifiedRequiredRequiredPost-hoc
Implementation planReference procedureRequiredDetailedAs available
Rollback planReference procedureRequiredTested planBest effort
Testing evidencePre-validatedRequiredExtended validationPost-hoc
Approval signaturesAuto-approvedCABCAB + ExecutiveECAB verbal
Scheduled windowAny timeApproved windowApproved windowImmediate
Communication planN/AAs neededRequiredIncident comms

RFC Template Fields

FieldDescriptionRequired For
RFC IDAuto-generated unique identifierAll
Change TitleBrief descriptive titleAll
Change TypeStandard/Normal/Major/EmergencyAll
Risk LevelLow/Medium/High/CriticalAll
Change LeadResponsible individualAll
Implementation TeamPersonnel involved in implementationNormal, Major
Affected SystemsConfiguration items impactedAll
Change DescriptionDetailed technical descriptionAll
Business JustificationWhy the change is neededNormal, Major
Impact AssessmentCustomer, service, and risk impactNormal, Major
Implementation PlanStep-by-step implementation procedureNormal, Major
Rollback PlanSteps to reverse the changeNormal, Major
Testing SummaryTests performed and resultsNormal, Major
DependenciesOther changes or prerequisitesNormal, Major
Proposed ScheduleImplementation date and windowNormal, Major
Stakeholder CommunicationNotification planMajor
Approval StatusAuthorization recordAll

Implementation Standards

Change Windows

Window TypeDaysHours (PT)PurposeChange Types Permitted
Primary WindowTuesday-Wednesday9:00 AM - 3:00 PMStandard production changesNormal, Major
Secondary WindowMonday, Thursday10:00 AM - 2:00 PMLower-risk changesNormal (Low-Medium risk)
Off-Hours WindowWednesday10:00 PM - 2:00 AMHigh-impact changes requiring low trafficMajor
Emergency WindowAnyAnyEmergency changes onlyEmergency
Prohibited WindowDuring freezeN/ANo changes except emergencyEmergency only

Change Freeze Periods

PeriodDurationRationaleExceptions Process
Year-End FreezeDecember 15 - January 5Holiday period; reduced staffingCTO approval required
Quarter-End FreezeLast 3 business days of Q1-Q3Financial close; customer reportingVP Engineering + CISO approval
Major Customer EventsAs announcedCustomer-critical periodsVP Engineering approval

Deployment Strategies

StrategyDescriptionUse CasesRisk Level
Blue-GreenDeploy to inactive environment; switch trafficZero-downtime deployments; infrastructure changesMedium
CanaryDeploy to small percentage of traffic; expand graduallyHigh-risk changes; feature validationMedium-High
RollingDeploy incrementally across instancesRoutine deployments; containerized workloadsLow-Medium
Feature FlagsDeploy code with feature disabled; enable progressivelyFeature releases; A/B testingLow
ImmutableReplace infrastructure entirely rather than modifyingInfrastructure changes; compliance-sensitiveMedium

Rollback Requirements

Risk LevelRollback RequirementsMaximum Rollback Time
LowAutomated rollback or documented procedure15 minutes
MediumDocumented and tested procedure; data backup if applicable30 minutes
HighTested procedure with dry run; verified backup; data validation60 minutes
CriticalTested procedure within 30 days; backup verification; staged rollback option2 hours

Testing Requirements

Testing Matrix by Change Type

Testing TypeStandardNormal (Low)Normal (Medium/High)Major
Unit TestsPre-validatedRequired (pass)Required (pass)Required (pass)
Integration TestsPre-validatedRequired (pass)Required (pass)Required (pass)
Security ScanPre-validatedAs applicableRequiredRequired
Staging DeploymentN/AOptionalRequiredRequired
Performance TestN/AAs applicableRequired for critical pathsRequired
User AcceptanceN/AN/AAs applicableRequired for UI changes
Rollback TestPre-validatedN/ARequired for High riskRequired
Canary ValidationN/AN/AOptionalRequired for Critical

Pre-Deployment Checklist

CheckpointDescriptionVerification Method
CI Pipeline PassAll automated tests passingPipeline status
Code Review ApprovedPeer review completed and approvedPR approval
Security Scan ClearNo critical or high vulnerabilitiesScan report
Staging ValidatedChange tested in staging environmentValidation checklist
Rollback ReadyRollback procedure documented and artifacts availableProcedure review
Monitoring ConfiguredRelevant dashboards and alerts readyDashboard confirmation
Communication SentStakeholders notified per communication planNotification record
Backup VerifiedRequired backups completed and verifiedBackup confirmation

Monitoring and Communication

Change Notification Requirements

AudienceChange TypeTimingChannelContent
Engineering TeamAll24 hours beforeSlack #engineeringSummary, timing, impact
SRE TeamNormal (Medium+), Major48 hours beforeSlack #sre + emailFull RFC details
Customer SuccessCustomer-impacting72 hours beforeEmail + SlackCustomer communication plan
CustomersService-affectingPer communication planStatus page, emailStatus update
Executive TeamMajor5 days beforeEmailSummary, risk, timeline

Implementation Monitoring

Monitoring TypeTriggerDurationEscalation
Real-Time DashboardsAll production changesDuring implementation + 30 minutesAnomaly detection
Enhanced AlertingMedium+ risk changesImplementation + 2 hoursAutomatic paging
Extended MonitoringHigh/Critical riskImplementation + 24 hoursOn-call team
Canary MetricsCanary deploymentsUntil full rolloutAutomatic rollback triggers

Post-Implementation Review

PIR Requirements

Change TypePIR RequiredPIR TimingPIR Scope
StandardNoN/AN/A
Normal (Low)OptionalAs neededInformal retrospective
Normal (Medium)YesWithin 5 business daysStandard PIR
Normal (High)YesWithin 3 business daysExtended PIR
MajorYesWithin 5 business daysExtended PIR
EmergencyYesWithin 3 business daysExtended PIR + Root Cause

PIR Content

SectionContentOwner
Change SummaryWhat was changed and whyChange Lead
Implementation ResultsSuccess/partial/failed; actual vs. planned timingChange Implementer
Issues EncounteredProblems during implementation; workarounds appliedImplementation Team
Customer ImpactAny customer-visible effectsCustomer Success
MetricsPerformance impact; error rate changes; availability impactSRE
Lessons LearnedWhat worked well; what could be improvedAll participants
Action ItemsFollow-up tasks with owners and due datesChange Lead

Metrics and Reporting

Key Performance Indicators

MetricDefinitionTargetFY2025 Actual
Change Success RateSuccessful changes / Total changes>98%99.2%
Emergency Change RateEmergency changes / Total changes<5%3.1%
Change-Related IncidentsIncidents caused by changes / Total changes<2%1.4%
Mean Time to ImplementAverage time from approval to completion<4 hours2.8 hours
Rollback RateRolled back changes / Total changes<3%1.8%
CAB Cycle TimeTime from RFC submission to CAB decision<72 hours48 hours
Post-Implementation Review CompliancePIR completed on time / PIR required>95%97%
Change BacklogChanges awaiting CAB approval<2012 average

Monthly Change Statistics (FY2025 Average)

Change CategoryCountSuccess RateRollback Rate
Standard Changes84799.8%0.2%
Normal Changes (Low Risk)14299.3%0.7%
Normal Changes (Medium Risk)3897.4%2.6%
Normal Changes (High Risk)8100%0%
Major Changes4100%0%
Emergency Changes694.4%5.6%
Total Monthly Average1,04599.2%0.8%

Numbered Policy Statements

  1. Universal Applicability: All changes to production systems, infrastructure, security controls, and customer-impacting services must follow this change management policy regardless of urgency or organizational level of the requester.

  2. Classification Requirement: All changes must be classified by type (Standard, Normal, Major, Emergency) and risk level (Low, Medium, High, Critical) prior to implementation.

  3. Authorization Mandate: No change may be implemented without appropriate authorization as defined by the change type and risk classification matrices in this policy.

  4. Documentation Requirement: All changes must be documented in the change management system with a valid Request for Change (RFC) prior to implementation, except emergency changes which require retroactive documentation within 24 hours.

  5. CAB Authority: The Change Advisory Board has authority to approve, defer, reject, or request modifications to all normal and major changes.

  6. ECAB Emergency Authority: Emergency changes may be authorized by ECAB with reduced quorum (2 voting members) when immediate action is required to restore service or prevent imminent failure.

  7. Testing Obligation: All changes affecting production systems must pass required testing validation appropriate to their risk level before implementation.

  8. Rollback Readiness: All Normal and Major changes must have documented rollback procedures. High and Critical risk changes must have tested rollback procedures.

  9. Change Window Compliance: Non-emergency changes must be implemented within approved change windows unless specific exception is granted by CAB.

  10. Change Freeze Compliance: Changes during freeze periods require explicit exception approval per the exceptions process defined in this policy.

  11. Post-Implementation Review: Changes classified as Medium risk or higher, and all emergency changes, require documented Post-Implementation Review within specified timeframes.

  12. Incident Linking: Changes that cause incidents must be documented in the incident record, and incidents that require emergency changes must reference the emergency RFC.

  13. Continuous Improvement: The change management process shall be reviewed monthly using metrics analysis and quarterly through process improvement initiatives.

  14. Training Requirement: All personnel authorized to submit or implement changes must complete change management training annually and demonstrate understanding of this policy.

Framework Appendix

Compliance Mapping

RequirementSOC 2 CriteriaISO 27001 ControlHIPAA ProvisionImplementation
Change authorizationCC8.1A.12.1.2§164.312(c)(1)CAB approval process
Change documentationCC8.1A.12.1.2§164.312(b)RFC system
Change testingCC8.1A.12.1.4§164.312(d)Testing requirements
Segregation of dutiesCC8.1A.12.1.4§164.312(a)(1)Role separation
Emergency change processCC8.1A.12.1.2§164.312(a)(2)(ii)ECAB procedures
Change audit trailCC8.1A.12.1.2§164.312(b)Change logs

ITIL Alignment

ITIL ProcessPolicy ImplementationProcess Owner
Change ManagementFull process implementationVP Engineering
Release ManagementDeployment strategies; release coordinationEngineering Leads
Configuration ManagementCMDB updates; CI trackingSRE
Incident ManagementEmergency change linkageSecurity + SRE
Problem ManagementPIR integration; root cause analysisEngineering

Related Trust Center documents

incident response, security overview, sdlc policy, access control, business continuity, compliance frameworks

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

Change Management Contacts

ContactRoleAvailabilityUse Case
change-management@acmecloud.comCAB AdministrationBusiness hoursRFC questions, process guidance
VP EngineeringCAB ChairBusiness hoursEscalations, exceptions
CISOSecurity approvalBusiness hours + on-callSecurity-impacting changes
SRE On-CallEmergency changes24/7ECAB activation, emergency implementation

Appendix: Change Management Tools

ToolPurposeIntegration
Jira Service ManagementRFC creation and tracking; workflow automationSSO; Slack notifications
GitHubCode changes; PR-based reviewsCI/CD pipeline trigger
DatadogChange monitoring; deployment trackingAutomatic deployment annotations
PagerDutyECAB notification; on-call routingAutomatic escalation
SlackReal-time communication; change notificationsBot integrations
ConfluenceProcedure documentation; runbooksLinked from RFCs

Document Version: 3.0 Last Updated: January 15, 2026

Last updated: January 15, 2026
EthicPages logoEthicPages