CHANGE MANAGEMENT POLICY

RECOM CONSULTING LIMITED

ISO 27001:2013

House 18 (Flat B2), Road 1/A, Block J, Baridhara, Dhaka 1212

 ISMS FRAMEWORK

Document Details

Document: CHANGE MANAGEMENT POLICY

Document Number: RCL/ISMS/L2/07

Version: 1.0

Document Date: 01-10-2021

Prepared By: CISO

Reviewed By: ISSC

Approved By: CEO

Classification Level: Internal

Modification History

Sl. No. Description of Change Date of Change Version No.

1 Initial Release 01-10-2021 1.0

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 2 of 8
 ISMS FRAMEWORK

1 CONTENTS
1 Contents ........................................................................................................................................................................3
2 Introduction ..................................................................................................................................................................4
2.1 Overview ............................................................................................................................................................4
2.2 Objective ............................................................................................................................................................5
2.3 Procedure ............................................................................................................................................................5
3 Scope .............................................................................................................................................................................8
4 Roles & Responsibilities ................................................................................................................................................8
5 Enforcement ..................................................................................................................................................................8

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 3 of 8
 ISMS FRAMEWORK

2 INTRODUCTION

2.1 OVERVIEW

Change management refers to a formal process for making changes to existing baseline products.
The goal of change management is to increase awareness and understanding of proposed changes
across an organization and ensure that all changes are made in a systematic way that minimizes
negative impact to services and customers.

Change management generally includes the following steps:

• Evaluation: Evaluate the change, including determining the priority of the change and the
risks involved in implementing the proposed change.
• Review: Review Change with peers and all other stakeholders who are directly/indirectly
affected by the change.
• Approval: Obtain approval of the Change by management as appropriate.
• Planning: Plan the change, including the implementation, scheduling, testing of the
implemented change and roll-back plan, in case of failure to implement the change or
getting desired result after implementation.
• Communication: Communicate about changes to be implemented with the appropriate
stakeholders.
• Implementation: Implement the change.
• Documentation: Document the change along with any review and approval information.
• Post-change review: Review the change implemented to see if this matches with the
desired result to be achieved.

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 4 of 8
 ISMS FRAMEWORK

2.2 OBJECTIVE

The objective of this document is to establish a Change Management procedure for controlling
changes/addition/removal of information processing facilities and all changes to equipment,
software or procedures. Inadequate control of changes to information processing facilities and
systems is a one of the major causes of failure.

2.3 PROCEDURE

Change Management and Documentation

• The change management process must involve documenting and managing the change
requests.
• The documentation must provide a brief description of the changes requested, the date on
which the request was made, prioritizing of the request, tracking and controlling
modifications and assigning a unique number to each request.
• All changes must be scheduled and all stakeholders must be informed in advance of the
change
• All changes have to be reviewed after the roll out.

Change Approval

• The immediate controlling authority of the user requesting the change must approve all
change requests, based on business requirements. This request will be forwarded to
Change Advisory Board or higher which will then be forwarded post validation to the
change request handling team or ask for more clarifications from the end user.
• If the change request involves incorporating data from a different application, the
Application Owner of that application must also need to approve the request.
• An assessment of the proposed system changes must be performed to assess its potential

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 5 of 8
 ISMS FRAMEWORK

Testing of changes and backup

• All changes must be tested before being carried out in the live/ production environment,
wherever required.
• A quality assurance test of the changes to be implemented must be performed in a test
environment prior to implementation in the production environment wherever applicable.
• A backup of the system impacted by the change must be made prior to its being updated.
• For critical systems Rollback and recovery procedures in case of unsuccessful changes must
be followed.

Unscheduled

• Unscheduled changes are to be carried out only in case there are critical production issues,
which require the change.
• All unscheduled changes must be done with appropriate approval and roll-back plan.
• After unscheduled changes are carried out, normal change procedures must be expedited.

Hardware Changes

• Any changes to hardware must be done by following the change management process
which includes raising of change request, approval by the appropriate authorities and
documentation of the same
• The custodian of the hardware must conduct all the hardware changes after due approval
of the change
• Changes done to the hardware must be updated in the hardware/Asset register after the
change is done

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 6 of 8
 ISMS FRAMEWORK

• Changes done to the hardware must be monitored after the change to ensure that there is
no untoward affect due to the change

Operating system and Application Changes

• Any change to the operating system or application must be strictly controlled by the use of
the change management process, which will include raising of change request, testing,
approval by the appropriate authorities and documentation of the same
• Following the steps mentioned in the documented operating procedures, wherever
applicable, must do changes to the operating system or the application.
• All changes must be documented and a trail must be maintained by means of preserving
the change requests
• Any change that involves downtime or disruption of services must be done after giving an
appropriate notification to the affected users.

Patch & Service Pack Management

• Application of patches must be done in a controlled manner.

• The patch or service pack must be obtained directly from the vendor or downloaded from
the vendor site only.

Addition of hardware/Software and any other IT resource

• All hardware or any other resource addition or removal of it from the production
environment would be controlled and approved and a complete track of it maintained to
ensure non-disruption to the operating environment

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 7 of 8
 ISMS FRAMEWORK

3 SCOPE

• The change management procedure applies to all changes to the following areas:
o Changes to Operating systems, which must include application of patches and
service packs, configuration changes, and version upgrades.
o Changes to applications, which must include application of patches, configuration
changes, and version upgrades.
o Changes to networks and network devices like routers, switches, firewall, etc. This
must include changes to router and switch configurations, IOS, firewall policy
changes, network layout/traffic changes and changes to intrusion detection systems.
o Changes to IT hardware such as change of RAM, CPU, and HDDs etc.
o Additions of new location/new application/new Hardware to the existing setup

• The Change Management procedure address the following:

o Change Management and documentation

o Change Approval mechanism
o Testing of Changes and backup
o Unscheduled/Emergency backups

4 ROLES & RESPONSIBILITIES

CISO is responsible for the proper implementation of Change Management Procedure.

5 ENFORCEMENT

All users of RECOM CONSULTING LIMITED who violate this policy may be subject to appropriate
corrective action, including disciplinary measures.

This is an internal document prepared by RECOM CONSULTING LIMITED and it is strictly prohibited to be reproduced, utilization of
disclosure to any third party, in any form, without prior intimation to RECOM CONSULTING LIMITED
Page 8 of 8