Change management (ITSM)

This article is about change management in IT service management. For other uses, see Change management.

Change management is an IT service management discipline. The objective of change management in this context is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number and impact of any related incidents upon service. Changes in the IT infrastructure may arise reactively in response to problems or externally imposed requirements, e.g. legislative changes, or proactively from seeking improved efficiency and effectiveness or to enable or reflect business initiatives, or from programs, projects or service improvement initiatives.

Change management can ensure standardized methods, processes and procedures which are used for all changes, facilitate efficient and prompt handling of all changes, and maintain the proper balance between the need for change and the potential detrimental impact of changes. Change management within ITSM (as opposed to software engineering or project management) is often associated with ITIL, but the origins of change as an IT management process predate ITIL considerably, at least according to the IBM publication A Management System for the Information Business.[1] For example, the IBM "Yellow Book" conception of change control (as a subset of resource control) was strictly concerned with the transfer of deliverables from projects into production.[2] Similarly, Schiesser in IT Systems Management defines Change Management as "a process to control and coordinate all changes to an IT production environment."[3]

Regulatory drivers

Formal change management processes are required or recommended by several regulatory and compliance frameworks to ensure that modifications to information systems do not introduce security vulnerabilities or operational disruptions.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement policies and procedures for making changes to information systems, as part of its administrative safeguards for electronic protected health information (45 CFR 164.308(a)(8)).[4] The December 2024 Notice of proposed rulemaking (NPRM) to overhaul the HIPAA Security Rule would strengthen change management requirements by mandating that regulated entities maintain a comprehensive technology asset inventory and notify relevant workforce members within 24 hours of any changes to a user's access to ePHI.[5]

The Payment Card Industry Data Security Standard (PCI DSS) requires formal change control processes for all changes to system components in the cardholder data environment, including documentation of impact, authorized approval, functionality testing, and back-out procedures (Requirement 6.5.1).[6] ITIL formalizes change management as a core service management practice, classifying changes as standard, normal, or emergency and requiring a change advisory board for risk assessment of significant changes.[7]

See also

References

  1. ^ IBM Global Services (2003). "IBM and the IT Infrastructure Library" (PDF). Retrieved 2007-12-10.
  2. ^ IBM (1980). A Management System for the Information Business. White Plains, New York: IBM.
  3. ^ Schiesser, Rick, 2002. IT Systems Management. New Jersey, Prentice Hall. ISBN 0-13-087678-X
  4. ^ "Security Standards: Administrative Safeguards". U.S. Department of Health and Human Services. Retrieved 2026-03-23.
  5. ^ "HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information". Federal Register. 2025-01-06. Retrieved 2026-03-23.
  6. ^ "PCI DSS v4.0". PCI Security Standards Council. Retrieved 2026-03-23.
  7. ^ "ITIL 4: IT Service Management". Axelos. Retrieved 2026-03-23.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.