Change Control Process

ICT Directorate, Ministry of Finance

The document describes the policy and procedures for accommodating change in the ICT services covering
software issues, network issues, migration and integration of systems.
 Change Control Process


Process No: 3
Process Name: Change Control Process

Effective Date: 01, September 2020

Version No: 1

Responsible Person: Dilawar, ICT Advisor

Contact Information: [email protected]

Applications, Network Devices, Network Infrastructure, ICT

Version History
Version Approved By Revision Date Description Author

1 20/07/2020 Initial document Mr. Dilawar

Approval And Review

1
 Change Control Process


Introduction
Change control is an integral part of management. Most projects face the prospect of change at some point
during their lifecycle. While the change might be necessary, it might also be difficult to implement on the fly. A
change control process defines the steps that must be taken in order to change the scope and deliverables of
a newly or existing project. It documents the proposed change and ensures it is reviewed and improved prior
to implementation.

Change request might be in the form of emergency change that tends to be more disruptive and have a high
failure rate, and standard change that occurs frequently, low impact of risk and has a pre-established
procedure with documented tasks for completion. Major change where there are the possibilities of significant
financial implications and/or be high at risk. Finally, normal change where full change management review
process, including review by the Change Control Committee and authorization/rejection. Additional change
requests may include application changes, hardware, software, network, documentation, and environmental
Changes.

The Change Control Process comprises of below activities for efficiently and effectively handling changes:

 Creating and logging RFCs

 Reviewing the RFCs

 Evaluating and assessing the change

 Approval/rejection and authorization of change

 Coordinating implementations

 Reviewing and closing RFCs

Purpose
The purpose of this document is to provide the personnel with the standard process for managing changes in
the ICT related projects and activities. The overall objective from the document is to provide a policy and
procedure for the processes involved in the change control to greatly manage change requests so that
approved changes can be controlled, ensuring that the everything remains on schedule, within budget and
provides agreed deliverables.

Objectives
 Manage each change request from initiation through to closure.

2
 Change Control Process


 Process change requests based upon direction from the appropriate authority.

 Communicate the impact of changes to appropriate personnel.

 Allow small changes to be managed with a minimum of overhead.

Scope
The Change Control Process is the mechanism used to initiate, record, assess, approve and resolve changes.
Changes are needed when it is deemed necessary to change the scope, time or cost of one or more previously
approved deliverables.

Change Control Policy

 Changes should be examined for security implications through the participation of the security
administrators.

 The impact assessment of change should be clearly performed by Change Control Committee before
putting the change requests to implementation. The information will be used to determine the impact
of the changes by considering:

o The impact of proposed change that will have on operations.

o The risk involved in not making the change.

o The risk if the change does not go as planned.

o Predictability of the success of the change.

 The Change Control Committee should do tasks/activities division and association of personnel after
approving the change requests.

 For ensuring appropriate approval, planning, and execution all ICT resources changes which comes
under the type of normal, standard, and major change should follow the change control process.

 The change initiator should note that the change has been successfully applied, tested, and verified
in a non-production environment when an applicable environment(s) exists.

 Impact assessment of changes to production environment should be done before the submission of
the change request as per the change control process.

3
 Change Control Process


 Change requests may not be required for non-production environments unless there is a significant
upgrade or an impact.

 As per the change control process all ICT resources changes should be clearly documented.

 A lesson learned session should occur in the event of an incident during a change request.

Further details on the Change Control Policy are available in the Change Control Policy document.

Change Control Procedure

Action
Identify Validate Analyze Close
Control Execute
Verify the Analyze and decision Verify that
Understandi Decide
change is record including action is
ng and whether to
valid and is it schedule, revision to complete
documenting execute the
requires cost, efforts project plans and close
the required change
further impact of if required RFC
change
management change

Further details on the Change Control Procedures are available in the Change Control Policy document.

Related Policies and other References

 Change control procedure

 Information security policy

4
 Change Control Process


 Risk management plan

Disclaimer Statement
Deviations from policies, procedures, processes, or guidelines published and approved by ICT Directorate can
only be done cooperatively between the ICT Directorate authorized personals and the requesting entity with
sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to ICT
Directorate. Willful failure to adhere to ICT Directorate written policies will meet governmental laws and
regulations.