PolicyForge
All posts
5 min

How to write a change management policy

A change management policy ensures changes ship safely and traceably. Here is what to include — request, review, approval, rollback — with a free template.

Why change management is an audit staple

Most outages and many incidents are self-inflicted, caused by an unreviewed change. A change management policy defines how changes to systems and code are requested, assessed, approved, tested and rolled back — giving you safety and an audit trail.

What to include

  1. Scope — which changes are covered (production systems, infrastructure, code, configuration).
  2. Change types — standard (pre-approved, low risk), normal (reviewed) and emergency (expedited with retro-approval).
  3. Request and assessment — what a change request captures: purpose, risk, impact, rollback plan.
  4. Approval — who approves which risk level; segregation of duties.
  5. Testing — validation before production.
  6. Rollback — a defined way to revert.
  7. Records — every change logged for traceability.

Common mistakes

  • No emergency-change path, so urgent fixes bypass the process entirely.
  • Approvals with no segregation of duties (author approves own change).
  • No rollback plan captured in the request.

Framework alignment

Maps to ISO 27001:2022 Annex A 8.32 (change management), the SOC 2 change-management criteria, and NIST CSF Protect.

Generate it in minutes

See a sample change management policy or generate yours free.