Business Processes in Change Management (Domain 1)
In this episode, we are going to take a deeper look at the business processes that make up a secure and effective change management strategy. While change management involves technology, its foundation is built on decision-making processes, accountability, and collaboration. The three core areas we will explore are the approval process, ownership and stakeholders, and impact analysis. These components are essential for making sure that changes do not introduce new risks or disrupt business operations.
Let’s begin with the approval process. Every change, no matter how small it may seem, should go through a formal process to gain the right approvals. This process helps ensure that changes are reviewed carefully before they are applied. In most organizations, the process starts with a change request. This is a written proposal that outlines what the change is, why it is needed, when it will happen, and how it will be executed.
Once submitted, the request goes through a series of evaluation steps. This may involve technical teams, business managers, and compliance officers depending on the nature of the change. The criteria for approving a change usually include things like the potential impact on systems or users, the security implications, whether testing has been completed, and whether the change aligns with business objectives. Some organizations use a change advisory board—a group that meets regularly to review and approve pending changes based on risk and benefit.
Skipping or rushing this approval process can lead to serious consequences. Changes that are not properly reviewed may cause downtime, introduce security vulnerabilities, or result in compliance failures. For example, deploying an untested software patch without approval could conflict with other systems and take an entire department offline. The approval process acts as a filter to catch problems before they reach production.
Next, let’s talk about ownership and stakeholders. Every proposed change needs an owner. This is the person responsible for ensuring that the change is implemented correctly, communicated effectively, and monitored after completion. The owner is accountable for coordinating the steps, getting approvals, and responding to issues that may arise. Clear ownership avoids confusion and ensures that someone is always watching the process from start to finish.
Stakeholders are the individuals or groups who are affected by the change. They might be system users, network administrators, customer support teams, or even external partners. Identifying stakeholders early is critical, because these are the people who can help you understand how the change will impact operations and whether any risks have been overlooked.
Effective stakeholder communication is key to a successful change. This means not only informing stakeholders about what will change and when, but also explaining why the change is happening and how it benefits the organization. Strategies for good communication include using simple language, choosing the right channels—such as email, meetings, or intranet announcements—and encouraging feedback or questions. When people understand a change and feel involved in the process, they are more likely to support it and adapt quickly.
Finally, let’s explore impact analysis. This is the process of identifying and evaluating the potential consequences of a proposed change. The goal is to determine what could go wrong, who could be affected, and how serious the outcome might be. Impact analysis helps decision-makers weigh the benefits of the change against its potential downsides.
The methodology for conducting impact analysis typically starts with a review of systems, processes, and user groups that may be touched by the change. This includes looking at dependencies—such as other applications that interact with the system being changed—and understanding what would happen if something goes wrong. Analysts often ask questions like, “What services depend on this system?” or “What is the business impact if this change fails?”
Case studies show the value of thorough impact analysis. In one example, a financial institution planned to change a network configuration to improve speed. During impact analysis, the team discovered that a legacy trading application relied on specific routing paths that would be disrupted. Because the impact was identified early, the change was modified to preserve the necessary connection and avoid costly downtime during business hours.
Another example comes from a university that planned to update its email system. Through impact analysis, they identified that password reset features tied into the existing system would break unless updated as well. With that insight, they scheduled extra development time, and the change went smoothly. Without impact analysis, these dependencies might have been missed, causing confusion and support tickets from students and staff.
Proactive impact evaluation is a form of risk mitigation. By thinking through the possible effects of a change, organizations can take steps to reduce the likelihood or severity of any problems. This may include additional testing, creating backout plans, or notifying users of temporary service interruptions. The goal is not to avoid all risk—but to understand it well enough to manage it effectively.
For the Security Plus exam, be prepared to identify and explain the purpose of business processes like approval workflows, ownership responsibilities, stakeholder engagement, and impact analysis. You may be given a scenario where a change causes unexpected downtime or introduces a vulnerability, and you will need to identify which process step was skipped or done incorrectly. Focus on how each element contributes to safe, predictable change and supports a secure operational environment.
