Simplified Change Management Process For CISSP Exam

Dave On Cyber
3 min readDec 9, 2022
Change Management Tools — that maintain and fix the production environment

There are various versions of the change management process, but which one to remember for the CISSP exam?

Well, the answer is none. You don’t have to remember. You must read as many articles as possible, watch videos and develop your version. It’s the best way to understand the process. It would help to share it on your blog or as a LinkedIn post.

I followed this approach and realised that words could differ, but the process would not change. I want to jot down my change or control management process from various sources in this article.


In this phase, the change request is initiated. The change could be to apply a patch to address the vulnerability, planned maintenance work or an unplanned outage.


Once the request is submitted, the change advisory board (CAB) review the proposed change. In this phase, the impact analysis and risk assessment take place. How is it going to affect the business function and users/ customers?

Impact assessment is a crucial part of the change management process.


CAB’s decision is binary. It’s either YES or NO. They might reject the request if the risk is high or knock back to the change requestor if they require more details or research. If CAB approves the request, the change progresses to the next phase. Note steps 4 and 5 can also be summarised as SCHEDULE AND IMPLEMENT.


The purpose of this phase is preparation. It’s critical to implement and apply configuration in the test or non-prod environment and understand how it affects the systems in production. Although the change is approved, if the implementor deduces that the difference may not execute in prod as expected based on the test environment result, they can flag it back to the management for identified risk.

The above four phases are critical because you are about to start the party!


Unfortunately, it’s the first phase for many organisations that still don’t have a proper change management process. In this phase, configuration/ change is applied to the production environment.


This stage is about the validation of the change. The most crucial testing would be regression testing to ensure the business functions as usual after the change.


Once the change is completed, it will be returned to CAB for formal review. The purpose of this phase is to ensure that change is executed as planned. The intent is also to learn if anything else has happened or can be documented for future change for that system.


It’s the closure of the change where the request is formally closed.

As I mentioned, you won’t find the exact process or steps in any article or book. It’s scattered. But the pattern is the same. Change management exists to ensure that the organisation’s confidentiality, integrity and availability are not compromised.

Change management also exists to detect unauthorised changes in the production environment. In other words, change management is the process that maintains integrity throughout the organisation. If we have a process for changing a file in the company, it would be easy to detect if unauthorised modification occurs, especially when file content is confidential/ sensitive.

Documentation is an essential element of the change management process.

Whether it is for organisation or life, change is inevitable.



Dave On Cyber

CISSP Certified professional writes cybersecurity with digital sketch and storytelling form. Check out for notes and downloads.