Sign up for our newsletter

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Change Control Policy


The purpose of the (District/Organization) Change Control Policy is to establish the rules for the creation, evaluation, implementation, and tracking of changes made to (District/Organization) Information Resources.


The (District/Organization) Change Control Policy applies to any individual, entity, or process that create, evaluate, and/or implement changes to (District/Organization) Information Resource.


  • Changes to production (District/Organization) Information Resources must be documented and classified according to their:
    • Importance,
    • Urgency,
    • Impact, and
    • Complexity.
  • Change documentation must include, at a minimum:
    • Date of submission and date of change,
    • Owner and custodian contact information,
    • Nature of the change,
    • Change requestor,
    • Change classification(s),
    • Roll-back plan,
    • Change approver,
    • Change implementer, and
    • An indication of success or failure.
  • Changes with a significant potential impact to (District/Organization) Information Resources must be scheduled.
  • (District/Organization) Information Resource owners must be notified of changes that affect the systems they are responsible for.
  • Authorized change windows must be established for changes with a high potential impact.
  • Changes with a significant potential impact and/or significant complexity must have usability, security, and impact testing and back out plans included in the change documentation.
  • Change control documentation must be maintained in accordance with the (District/Organization) Information Retention Schedule.
  • Changes made to (District/Organization) customer environments and/or applications must be communicated to customers, in accordance with governing agreements and/or contracts.
  • All changes must be approved by the Information Resource Owner, Director of Information Technology, or Change Control Board (if one is established).
  • Emergency changes that require an immediate implementation (i.e. break/fix, incident response, etc.) may be implemented without following the formal change control process, but may not circumvent documentation requirements, even if documented after the change.


See Appendix A: Definitions


  • ISO 27002: 12.1.2
  • (District/Organization) Network Management Policy


Waivers from certain policy provisions may be sought following the (District/Organization) Waiver Process.


Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Please fill out the form below to access your free download.

Thanks! Your download is ready.

Oops! Something went wrong. Please try again.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

Industry insights