Change Management and the Change Advisory Board: Controlling the Service Environment

Why Change Management Is Critical

The majority of service incidents are change-related. A misconfigured firewall rule, a database migration that fails, an application deployment with unintended side effects—these represent the failure mode of poor change management. Disciplined change management prevents unauthorized changes, reduces change-related outages, and creates the audit trail needed to diagnose incidents when they occur. ISO 20000 Clause 5.5 requires change management control; auditors verify this by sampling change records and cross-referencing them with infrastructure logs, CMDB audit trails, and incident records.

Change Types and Authorization Models

Standard changes are pre-authorized, documented, low-risk, and repeatable: examples include scheduled patching, standard account provisioning, routine firewall rule updates. Standard changes do not require per-instance CAB approval; instead, the process owner pre-authorizes the change type, and staff execute according to procedure. Every standard change must still be recorded in the change register, with execution date and outcome documented. Normal changes require assessment and approval before implementation; they go through the full CAB cycle. Risk assessment (likelihood, impact, risk score) is completed; implementation plan with step-by-step procedure is documented; rollback plan is prepared. The CAB reviews, discusses risks, and approves or defers. Emergency changes can be approved and executed immediately when a risk to the business requires action that cannot wait for the normal CAB cycle (service is down and repair is urgent); post-implementation, the emergency change is presented to CAB for retrospective review. The risk of emergency change overuse—when emergency changes exceed 5% of all changes—signals process bypass and lack of control.

Change Record Content

Every change record must contain: change ID (unique identifier), requester and change owner, clear description of what is being changed and why, affected CIs and services (queried from CMDB), risk assessment with likelihood, impact, and risk score, implementation plan with step-by-step procedure, rollback plan (what to do if change fails), test plan and test results (showing the change was tested before production implementation), scheduled implementation window and actual implementation window, approval history with names of CAB members, their decision, and decision date, implementation outcome, and post-implementation review. The change record serves as the audit trail; auditors will examine change records to verify that decisions were informed by risk data, that testing was documented, and that rollback plans were in place.

KEY CONCEPT

The CAB is a governance body, not a bureaucratic bottleneck. A well-run CAB makes quick, informed decisions based on risk evidence. The goal is appropriate control, not maximum restriction.

The Change Advisory Board: Composition and Authority

The CAB includes: service management lead (chair, who ensures decisions align with SMS objectives), technical architects (who understand service dependencies and risks), key service owners (who understand business criticality), customer representative (for business-impacting changes), security representative (who assesses security implications), and release manager (who coordinates change with deployment). CAB meets weekly or fortnightly; agenda is circulated in advance with change submissions. CAB authority levels are defined: the chair can approve low-risk normal changes; high-risk changes require consensus or escalation to a steering committee. CAB minutes are required documented evidence—not just an approval rubber stamp, but a record of discussion, identified risks, and decisions.

The Forward Schedule of Change

The FSC is the approved change calendar showing all planned implementation windows. It is used to identify change conflicts (two critical changes on the same night increase risk), change freeze periods (e.g., no non-emergency changes during month-end), and business blackout dates (e.g., quarterly earnings release, critical compliance deadline). The FSC is shared with all teams and customers; this transparency prevents surprise changes and allows teams to prepare for likely impacts.

Post-Implementation Review

The PIR is conducted 24–72 hours after implementation. Questions: Did the change achieve its objective? Were there unintended impacts (new errors, performance degradation)? Was the CMDB updated with new configuration details? What went well? What would we do differently next time? PIR completion is a change record closure prerequisite; a change cannot be marked closed without a documented PIR. PIR findings inform continuous improvement (if a certain type of change repeatedly has post-implementation issues, the standard procedure needs revision).

IMPORTANT

Changes implemented without CAB approval (unauthorized changes) are a major nonconformity. Auditors sample change records and cross-reference them with CMDB change logs and incident records to identify undocumented changes.

Change Management Metrics

Metrics to track: change success rate (percentage of changes that achieved their objective with no rollback), emergency change rate (should be <5%), change-related incident rate (percentage of incidents with a change in the 24 hours preceding the incident), change cycle time (elapsed time from submission to approval and implementation), overdue change rate (changes that missed their scheduled implementation window). These metrics are reported monthly; sustained poor performance on any metric should trigger review and remediation planning.

Integrations with Other Practices

Change management is tightly integrated with the CMDB: affected CIs must be identified from the CMDB; CMDB relationships guide impact assessment; after change implementation, the CMDB must be updated to reflect any changes to CI attributes or relationships. Integration with release management ensures that changes are bundled into releases (coordinated deployments rather than ad-hoc changes). Integration with problem management means that permanent fixes are implemented as changes linked to problem records, creating full traceability from problem to fix to change record to closure.

BITLION INSIGHT

Bitlion GRC change management workflow automates CAB meeting scheduling, integrates with the CMDB for impact assessment, provides templates for change records, and visualizes the Forward Schedule of Change with conflict detection.

Why Change Management Is Critical

Change Types and Authorization Models

Change Record Content

The Change Advisory Board: Composition and Authority

The Forward Schedule of Change

Post-Implementation Review

Change Management Metrics

Integrations with Other Practices

ISO 20000 Foundations

What Is ISO 20000 and Why It Matters

The ISO 20000 Standard Structure

Key Definitions and Core Concepts

ISO 20000 and ITIL: Understanding the Relationship

The SMS Lifecycle: Plan–Do–Check–Act

Who Needs ISO 20000 and When

ISO 20000 Requirements

Clause 4: Understanding the Organization and Its Context

Clause 5: Leadership and Commitment

Clause 6: Planning — SMS Objectives, Risk Management, and the Service Management Plan

Clause 7: Support — Resources, Competence, Awareness, and Documented Information

Clause 8.1: SMS Operations — Operational Planning and Control

Clause 8.2–8.3: Service Portfolio and Relationship Management

Clause 8.4–8.5: Supply Chain Management and Service Design, Build, and Transition

Clause 8.6–8.7: Resolution Practices and Service Assurance

ISO 20000 Implementation Process

ISO 20000 Implementation Roadmap: A Phased 12-Month Program

Scoping the SMS: Which Services, Which Boundaries, Which Customers

Gap Assessment and Remediation Planning: Finding and Fixing the Gaps

Designing the Service Management Plan: The Governing Document of the SMS

Implementing Incident, Problem, and Service Request Management

Implementing Change, Release, and Configuration Management

Implementing Availability, Capacity, and Service Continuity Management

Integrating ISO 20000 with ISO 27001 and ISO 22301: Building an Integrated Management System

ISO 20000 Certification Process

Preparing for ISO 20000 Certification: The Pre-Audit Readiness Checklist

Selecting a Certification Body for ISO 20000: A Practical Evaluation Guide

Stage 1 Audit: What Happens, What Auditors Look For, and How to Prepare

Stage 2 Audit: Demonstrating That the SMS Is Genuinely Operational

The 12 Most Common ISO 20000 Audit Nonconformities — and How to Prevent Them

Surveillance Audits and Recertification: Maintaining ISO 20000 Certification

Multi-Standard Certification: Running ISO 20000 and ISO 27001 Together

ISO 20000 SMS Operations and Service Management Practices

Service Level Management and SLA Design: Building Agreements That Work

Incident Management in Practice: From Logging to Closure

Problem Management: Building a Culture of Root Cause Resolution

Change Management and the Change Advisory Board: Controlling the Service Environment

Configuration Management and the CMDB: Building the Foundation of Service Knowledge

Continual Improvement in the SMS: From Aspiration to Discipline

Customer Satisfaction and Service Review: Keeping the SMS Customer-Centred

ISO 20000 in the Indonesian Context

ISO 20000 and OJK IT Governance: Demonstrating Compliance Through SMS

ISO 20000 for Indonesian Managed Service Providers: Market Positioning and Implementation

ISO 20000 for Cloud Service Providers: Managing Services at Scale

ISO 20000 for Government and Public Sector IT in Indonesia

ISO 20000 and UU PDP: Integrating Personal Data Protection into Service Management

Building a Compliance-Ready SMS: The Integrated Indonesian Compliance Architecture

ISO 20000 and Government Procurement: Winning and Retaining Public Sector IT Contracts