Change Management

Process

Confidentiality Statement
This product or document may not, in whole or in part, be copied, photocopied, reproduced,
translated, or reduced to any electronic medium or machine readable form, by any means
electronic, mechanical, photographic, optic recording or otherwise without prior consent, in writing,
of the information owner.

SYS/ISMS/CMP Internal Page 1

 Document Control

Document Name Change Management Process

Document Reference Number SYS/ISMS/CMP
Classification Internal
Version Number V1.0
Date 18.12.2018
Reviewed by DGM (Systems)
Approved by GM (Systems)

Revision History

Date Version Description Created By

D1.0 Draft Release ISMS Team
28.05.201 D1.1 Revised NALCO Team
8
07.06.201 D1.2 Revised NALCO Team
8
27.10.201 D1.3 Annexure A modified NALCO Team
8
18.12.201 V1.0 Base-lined ISMS Team
8

Distribution

 File server
 Intranet ISMS portal

Documentation Status

This is a controlled document. This document may be printed; however, any printed copies of the
document are not controlled. The electronic version maintained in the file server and Intranet ISMS
Portal is the controlled copy.

Related documents

S. No. Document Reference Number Document Name Version

1 SYS/ISMS/ISMAN ISMS Manual V1.1

Acronyms and Abbreviations

Term Description

SYS/ISMS/CMP Internal Page 2

 CISO Chief Information Security Officer
ISC Information Security Council
RFC Request for change

TABLE OF CONTENTS

1. INTRODUCTION.................................................................................................................................... 4

2. INPUT................................................................................................................................................... 4

3. ROLES AND RESPONSIBILITY................................................................................................................. 4

4. TASKS................................................................................................................................................... 5

4.1. CHANGE INITIATION..................................................................................................................................5

4.2. CHANGE IMPACT ANALYSIS & CLASSIFICATION...............................................................................................6
4.3. CHANGE EVALUATION & APPROVAL.............................................................................................................6
4.4. CHANGE BUILDING, TESTING & IMPLEMENTATION..........................................................................................6
4.5. CHANGE REVIEW & CLOSURE......................................................................................................................7
4.6. EMERGENCY CHANGES...............................................................................................................................7

5. OUTPUT............................................................................................................................................... 7

6. GUIDELINES, TEMPLATES...................................................................................................................... 7

7. ISO 27001:2013 REFERENCE.................................................................................................................. 7

SYS/ISMS/CMP Internal Page 3

 1. Introduction

The purpose of the Change Management process is to control the lifecycle of all changes, enabling
beneficial changes to be made with minimum disruption to IT services.

The objectives of the Change Management process are to:

 Respond to the customer’s changing business requirements while maximizing value and
reducing incidents, disruption and re-work.
 Respond to the business and IT Requests for Change that will align the services with the business
needs.
 Ensure that changes are recorded and evaluated, and that authorized changes are prioritized,
planned, tested, implemented, documented and reviewed in a controlled manner.
 Ensure that changes to configuration items are maintained.
 Optimize overall business risk : It is often correct to minimize business risk , but sometimes it is
appropriate to knowingly accept a risk because of the potential benefit.
 Changes should be managed to:
o Optimize risk exposure
o Minimize the severity of any impact and disruption
o Achieve success at the first attempt
o Ensure that all stakeholders receive appropriate and timely communication about change so that
they are aware and ready to adopt and support the change.
The scope of this process includes all IT related changes handled in the datacenters of NALCO,
including (but not limited to) following:

 Hardware changes and system software changes

 Network changes
 Application changes
 Database changes
 Operational and support procedures and system documentation changes
 Version upgrades/enhancements/patches
 Planned/scheduled outages.
The results of the review are documented and records are maintained.

2. Input

 Change Request raised by initiator;

SYS/ISMS/CMP Internal Page 4

 3. Roles and Responsibility

Roles Responsibilities
Initiator Raises the request for change.
(requestor)
Concerned GM / Forwards the request for change.
ED
Approver Approves the change.
Implementer  Receive the approved request for change.
 Implement and manage the change.

Figure1: Change Management Process Cycle

4. Tasks

4.1. Change Initiation

 Initiator raises the request for change (RFC) through the change request form.
 Change Request form consists of:
o Initiator(requestor) name
o Type of request
o Details of the change
 Brief Description
 Impact analysis
 Justification

SYS/ISMS/CMP Internal Page 5

 o Supporting information.

4.2. Change Impact Analysis & Classification

 Possible implications of making the change are analyzed.

 Risks associated with the change are evaluated.
 Effect of proposed change on performance and quality are analyzed.
 Business and technical consequences of making the change are analyzed.
 How the proposed change will be verified is documented.
 Based on the change impact analysis, the change is classified as
o High Impact change (HIC) including but not limited to:
 Change in application running in production
 Change in Critical infrastructure
 Change in critical network access
o Medium Impact change (MIC)
o Low Impact change (LIC).

4.3. Change Evaluation & Approval

 Change is evaluated before approval, in terms of :

o Expected benefits of the proposed change
o Availability of necessary resources
o Any effect on already established IT security policies.
 After evaluation, change is approved by the Director (P&T) for new development /
modifications and GM (Systems) for enhancements / bug fixes.

4.4. Change Building, Testing & Implementation

 Only approved change is accepted and implemented; In case of any emergency change,
formal documentation may be done after implementation.
 Rejected change, if any, is sent back to the initiator for the necessary action.
 During implementation following points are considered:
o Both the software developed and the hardware purchased matches the predefined
specifications
o The envisaged schedules are met and the appropriate resources are assigned
o The test environment is realistic and simulates the live environment closely
o The back-out/rollout plans will allow the last stable configuration to be recovered rapidly
o Log of every change implementation is maintained.

SYS/ISMS/CMP Internal Page 6

 4.5. Change Review & Closure

 Review of the changes will be carried out by the Reviewer as identified below:
o Infrastructure Head for changes related to hardware/equipment/Network devices/Server/UPS,
etc.
o Information Systems Head for changes related to the applications developed in-house.
o ERP Head for changes related to changes involving SAP.

4.6. Emergency Changes

In case of changes required on emergency basis, change would be carried out as soon as possible
but the same would be documented within the next 3 days.

5. Output

 Managed Change;

6. Guidelines, Templates

 Standard Operating Procedure for New Developments, Modifications, Enhancements & Bug-
Fixes
 Template for Change Request Form in Annexure – A

7. ISO 27001:2013 Reference

 A.12.1.2

SYS/ISMS/CMP Internal Page 7

 ANNEXURE – A : CHANGE REQUEST FORM

SECTION A – to be filled by the User Department

Date of Request
Name & Designation of
Requestor
Type of Request New Requirement(i) Modification(i) Enhancement(ii) Bug-Fix(ii)
Solution in ERP Non-ERP
Brief Description of
Requirement /
Modification /
Enhancement / Bug
Impact of Request Global Plant / Unit Specific
Justification for
Requirement /
Modification /
Enhancement / Bug-Fix
No of Users to whom
Authorizations Envisaged (in
case of new only)
Supporting Information
(include design or flowchart
or conceptual image)
User Identified for Pre-
Production Testing & sign-
off

Proposer: Rep Officer: GM ED ED (Tech)

Designation: Designation: (Functional/Unit)

Signature Signature Signature Signature Signature

Important:
(i) All development and configuration requests which are new requirements or are modifications to
existing solution, must be processed by User Department through respective Executive Directors.
These will thereafter be examined and details in Section B will be put-up by IT Team for approval by
Director (P&T).
(ii) All requirements which are enhancements or bug-fixes must be processed by IT Team in Section A
and approved by GM (Systems) in Section B.

Note on Requirement:
New: Any new development or business process is not presently available in the ERP/Non-ERP Solution.
Modification: Any change to the existing solution which modifies or changes the existing process.
Enhancement: Any change to the existing solution which brings in improvements in performance, security, checks and
controls.
Bug-Fix: Any change to the existing solution which addresses a bug in the program or logic .

SYS/ISMS/CMP Internal Page 8

 Section A to be sent to GM (System) for assignment to relevant team.

ANNEXURE – A : CHANGE REQUEST FORM

SECTION B - to be filled by the Systems / ERP before approval by Director/GM (Sys)

Date of Receipt
Request ID
ERP-______ / LCY-______
Functional Module
Core Team / Development Team
End User / Resource Person
Whether Global or Specific
If, Global, Other End User/ Resource Persons
Brief of Process

Solution:

Alternate Solution:
Support required:
Decision Points:
Dependency
Report Format
Specification Type
(Report / Module Pool / Interface / BDC /
SAP Script / Dictionary/ Enhancements)
Use Periodicity
Is this Business Critical?
Is this a New Program?
Is Configuration Required?
Is Screen Enhancement Required?
Is Table Structure to be changed?
Development Time (including testing)

Team Lead: GM (System) ED (Tech)

Designation:

Signature Signature Signature

Director (P&T) Reason for non-approval:
Approved

Signature Not Approved

SYS/ISMS/CMP Internal Page 9

 Section B to be sent to Team Lead for planning execution of requirement.

ANNEXURE – A : CHANGE REQUEST FORM

SECTION C - to be filled by the Systems / ERP after approval by Director / GM (Sys)

Start Date End Date

Remarks for
Developer / Consultant
Program ID or Request#
Program Name
Transaction Code
Transported to 200/210
on
Transported to
Production on
Test Script
Config Doc Updated
User Manual
Additional Information Screenshots / sequence of configuration / special information may be recorded in
subsequent pages.

Checklist
Check
Item Notes (Names of reports, tr. code, etc.)
(Yes/No)
User Sign-Off In QA after Testing

Program Documentation done by ABAP

programmer

Authorization Profiles to which the

Transaction Code is to be attached

All Components Related To The

Development released
Transport Request Number generated

Test Case attached

Test results Dev/ Qual / Prod (To be

attached)

File Stored in Central Folder

_________________ _________________
Technical Consultant Functional Consultant

SYS/ISMS/CMP Internal Page 10

 ---- EOF ----

SYS/ISMS/CMP Internal Page 11