Without controlled changes, a single mistake by your IT staff can crash your entire system, causing customers to lose access to your services and costing you money and reputation. A developer might accidentally expose customer data (like phone numbers or GST numbers) while updating code, leading to DPDP Act penalties and customer lawsuits. If a large customer audits you (common for companies selling to banks or e-commerce platforms), they will reject you for not having change management, and you lose that contract. During GST or income tax audits, authorities increasingly ask for evidence of IT controls—no change logs = suspicious and increases scrutiny.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that your single IT person makes updates to live applications whenever needed, often without telling anyone else or keeping notes. There is no record of what was changed, why, or when—if something breaks, nobody knows who to ask.
Initial
You have a basic email or WhatsApp group where the IT person announces they are making a change, but there is no formal approval before they proceed. After the change, someone may write it down in a notebook or spreadsheet, but this is inconsistent and often forgotten.
Developing
You have a simple spreadsheet or document where all application changes are logged with date, description, and person's name before they are made. Someone (usually the manager) approves the change in writing via email before it happens.
Defined
You have a formal change log document or simple shared system (like a Google Sheet or basic ticketing tool) where every change request must be submitted, reviewed by at least one other person, approved by management, and then documented after completion. All changes are tied to a business reason or ticket.
Managed
You use a dedicated change management tool or system (even a free one like Jira or custom-built tracker) that forces a workflow: request → approval → implementation → verification. Changes are categorized by risk level, and high-risk changes require testing on a separate non-live environment first.
Optimised
You have an automated change management system integrated with your development pipeline, with role-based approval workflows, automatic rollback capabilities, and continuous audit trails. Changes are automatically tested, documented, and tracked with full traceability for compliance audits.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple change notification process: IT person sends an email to manager and one other person before making any application change, stating what they will change and why. | IT Person + Manager | 1 day |
| 1 → 2 | Create a simple Google Sheet or Excel template with columns: Date, Application Name, Change Description, Business Reason, Changed By, Approved By, Date Approved. Require IT person to fill this out and get manager approval via email before any change. | Manager + IT Person | 3 days |
| 2 → 3 | Formalize the change process into a documented policy stating: (1) all changes must be requested in writing, (2) risk assessment (low/medium/high), (3) at least one other person must review and approve, (4) manager final sign-off, (5) testing before live deployment where possible. Implement using a shared online form or tool. | Manager + IT Person + (if available) Quality/Compliance person | 2-3 weeks |
| 3 → 4 | Migrate to a lightweight change management tool (Jira, Taiga, or custom Google Form with script automation). Set up role-based workflows: requester submits → technical reviewer reviews → manager approves → implementer deploys → verification. Log all outcomes automatically. | IT Person (with manager oversight) | 4-6 weeks |
| 4 → 5 | Integrate change management system with deployment pipeline, add automated testing for application changes, implement automatic rollback on failure detection, enable real-time audit logging, and establish monthly metrics review on change success rate and mean time to recovery. | IT Lead + DevOps/Development Team | Ongoing (3-6 months initial setup, then continuous improvement) |
Documents and records that prove your maturity level.
- Change request log or spreadsheet showing every application change made in the last 3 months, with date, description, approver, and implementation date
- Approval records (emails or system logs) showing manager or authorized person approved each change before it was deployed
- Change policy document that defines the process, roles, and approval hierarchy for application and configuration changes
- Testing or verification records showing that critical changes were tested or validated before going live (even if just a sign-off email)
- Incident or rollback records if a change caused a problem, showing what was changed back and when (demonstrates you can trace problems to specific changes)
Prepare for these questions from customers or third-party reviewers.
- "Show me your change control process for applications. Who approves changes before they go live?"
- "Walk me through a recent change you made to a production application. Can you show me the request, approval, and implementation records?"
- "What happens if a change causes an outage? How do you know what was changed and by whom?"
- "How do you ensure that critical changes (security patches, database updates) are tested before being deployed to live systems?"
- "Do you have a record of all changes made in the last 6 months? Can you show me cases where a change was rejected or rolled back?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Simple change request and approval tracking without coding | Google Forms + Google Sheets (create form that auto-populates sheet), or open-source Jira alternative like Plane or Taiga | Jira Standard Plan (₹500–1500/month), Azure DevOps (₹0–2000/month depending on users) |
| Version control for application code and configuration files so you can see exactly what changed | GitHub (public/private repos free for small teams), GitLab Community Edition (self-hosted, free) | GitHub Teams (₹3000–5000/month for small team), GitLab Premium (₹5000+/month) |
| Automated testing of application changes before they reach live users | Jenkins (open-source, self-hosted), GitHub Actions (free tier included), CircleCI free tier | CircleCI Performance plans (₹5000+/month), CloudBees CI (₹10000+/month) |
- IT person verbally tells the manager about a change, but nothing is written down—when auditors ask 'show me the approval,' you have no evidence. Always require written approval.
- Changes are logged after they are made, not before—this defeats the purpose because you are only creating a record, not getting approval first. Require requests to be submitted and approved before implementation.
- 'Emergency changes' bypass the process because something is broken—while urgent changes are real, logging them as exceptions and reviewing them later is still essential. Always document even emergency fixes.
- Change logs are kept on the IT person's personal laptop or email account—if that person leaves, all history is lost and auditors cannot verify anything. Use a shared, backed-up system.
- Confusion between 'configuration changes' and 'code changes'—both must be tracked (database password updates are as risky as code updates), but many businesses only track code and ignore configuration drift.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (accountability principles) requires organizations to implement reasonable security measures and demonstrate controls over data processing systems; change management is a core control for systems handling personal data |
| CERT-In 2022 | Direction 2 (on IT security practices) recommends change management and configuration management as essential practices for secure IT operations |
| ISO 27001:2022 | Annex A, Control A.8.32 (Change management) and A.8.33 (Information security in supplier relationships) require documented change control procedures |
| NIST CSF 2.0 | Govern Function (GV) and Protect Function (PR) category PR.DS-6 (software and information integrity) require monitoring and controlling changes to systems |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →