Appication change management 2163



  • Can someone provide a base model for a small company change management?
    What are the steps and what are the most important things to keep in mind?
    Thanks



  • a) Steps are:

    1. Under IT Policy Document, define the Change Management Process for Application Changes.
    2. Define Controls in the form of Evidence/ Artifacts.
    3. Get the Policy approved by Management and Auditors.
      b) Note: Always refer to some Standard Framework e.g. COBIT 4.1
      c) Important Evidence/ Artifacts which act as controls are
      ’ Change Request Log
      ’ Test Plan/ Results (e.g. UAT)
      ’ Approvals just prior to deployment to production (e.g. Sign off a Form )
      ’ Promotion Reports (If any e.g. Tool ALDON generates a report )
      ’ Update SOX documentation (If applicable to this Change e.g. update SOX Narrative for the Application or Add/Change/Delete a 404 control)
      d) The Test Steps for Change Management are to verify the evidence/artifact.
      e) Note : The only Remediation Plan is to do it the right way next time .
      You can not go back to create the missing evidence or correct the evidence.


  • a) Steps are:

    1. Under IT Policy Document, define the Change Management Process for Application Changes.
    2. Define Controls in the form of Evidence/ Artifacts.
    3. Get the Policy approved by Management and Auditors.
      b) Note: Always refer to some Standard Framework e.g. COBIT 4.1
      c) Important Evidence/ Artifacts which act as controls are
      ’ Change Request Log
      ’ Test Plan/ Results (e.g. UAT)
      ’ Approvals just prior to deployment to production (e.g. Sign off a Form )
      ’ Promotion Reports (If any e.g. Tool ALDON generates a report )
      ’ Update SOX documentation (If applicable to this Change e.g. update SOX Narrative for the Application or Add/Change/Delete a 404 control)
      d) The Test Steps for Change Management are to verify the evidence/artifact.
      e) Note : The only Remediation Plan is to do it the right way next time .
      You can not go back to create the missing evidence or correct the evidence.
      Thank you.
      Is there a site where I can get templates?
      Can someone define if it is not a change in code but a change in views or a report? Does it have to go through the entire process?
      Also can someone go a little more into detail on the different levels of change management? (ie: impact on 1 user, impact 1 group, or impact on enterprise…)
      For the UAT process can the business group come up with their own test scripts and if they are willing to sign off on it before and after the test is it enough?
      Does anyone have a final sign-off sheet sample?
      Also any suggestions on Intranet change management?
      Also has anyone used VSS for logging changes? (using it like a db from initial request to mgmnt/user signoff?
      Thanks


  • i guess auditnet dot org is a nice place to get templates for almost all IT audit related areas.
    as far as my knowledge goes, a change is a change, be it a change in way an application works, or a change in reports or displays.
    Hope this helps



  • For Point 3: You don’t need to get the policy approved by Auditors.
    Look for Change Management Documentation in ITIL (BS 20000 standard). It’s a separate stream there (with release Management) and is better explained.


Log in to reply