3. Minor change
A minor change is usually one that does not require a significant amount of preparation and planning, such as the implementation of a scheduled security patch or the installation of a new device onto the network. They are usually low-risk and won't have a large impact on how the business operates, so can be implemented using the standard process. However, that does not necessarily mean they can be treated lightly, as there may be relatively minor changes that will still need strong monitoring and auditing for reasons of compliance, or if they will impact sensitive applications or mission-critical systems.
4. Major change
Major changes will be ones that have a significant effect on the day-to-day workings of the business. It might, for example, include a significant alteration of a network's infrastructure that will require a period of downtime, or migrating from a legacy application to a newer one. These will be complex, many-stepped processes and therefore must undergo detailed preparation work before the implementation phase. The direct approval and oversight of the change advisory board will be a requirement for this, especially for actions that are classed as medium or high-risk.
5. Emergency change
These are changes that must be implemented as soon as possible - often because a critical weakness in an existing system has been found and needs to be fixed before it can cause damage. For example, one of the most common scenarios that will mandate an emergency change is the discovery of a zero-day vulnerability that exposes an organization to hackers.
Because of this, there won't be time to go through the formal change advisory board approval process. Indeed, in some cases, anything more than a quick meeting may be a luxury the business can't afford. However, that does not mean established procedures should be ignored. There must still be a high level of authorization and oversight from a change manager and critical testing processes wherever possible.
Because emergency changes will, even with the best contingency planning, be less formalized than standard and normal changes, it's important they are only used when absolutely necessary, and not as a shortcut to avoid bureaucracy for changes that do not typically justify emergency procedures.
Join the conversation...