Change Management Policy Template

Change Management Policy Template

Download your free copy now

Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data. 

Please use these policy templates as a way to get your organization on the right track when it comes to full policy creation and adoption.

If your organization is going to make changes to information resources, it’s helpful to understand what changes are being made and that you’re guiding the decisions these changes.

Free Resource

Download our free Change Management Policy Template now.



The purpose of the (Company) Change Management/Control Policy is to establish the rules for the creation, evaluation, implementation, and tracking of changes made to (Company) Information Resources.


The (Company) Change Management/Control Policy applies to any individual, entity, or process that create, evaluate, and/or implement changes to (Company) Information Resource.

Table of Contents


  • Changes to production (Company) Information Resources must be documented and classified according to their:
    • Importance,
    • Urgency,
    • Impact, and
    • Complexity
  • Change documentation must include, at a minimum:
    • Date of submission and date of change,
    • Owner and custodian contact information,
    • Nature of the change,
    • Change requestor,
    • Change classification(s),
    • Roll-back plan,
    • Change approver,
    • Change implementer, and
    • An indication of success or failure.
  • Changes with a significant potential impact to (Company) Information Resources must be scheduled.
  • (Company) Information Resource owners must be notified of changes that affect the systems they are responsible for.
  • Authorized change windows must be established for changes with a high potential impact.
  • Changes with a significant potential impact and/or significant complexity must have usability, security, and impact testing and back out plans included in the change documentation.
  • Change control documentation must be maintained in accordance with the (Company) Data Retention Schedule.
  • Changes made to (Company) customer environments and/or applications must be communicated to customers, in accordance with governing agreements and/or contracts.
  • All changes must be approved by the Information Resource Owner, Director of Information Technology, or Change Control Board (if one is established).
  • Emergency changes (i.e. break/fix, incident response, etc.) may be implemented immediately and complete the change control process retroactively.


See Appendix A: Definitions


  • ISO 27002: 12.1.2
  • Network Management Policy
  • Data Retention Schedule


Waivers from certain policy provisions may be sought following the (Company) Waiver Process.


Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Cheat Sheets


Incident Response Playbooks

Policy Templates

Program Guides


Change Management Policy Template

Download your free copy today.