Title: Change Management Policy
Document ID: [POL-CHANGE-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CEO (Paul Hague)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Change Management Policy

## Purpose

This policy defines BlackDice's high-level requirements for managing changes to systems, services, infrastructure, configurations, and processes that may affect security or service integrity.

## Scope

This policy applies to production systems, cloud infrastructure, Kubernetes environments, software releases, CI/CD pipelines, security tooling, and other in-scope changes.

## Objectives

- ensure changes are assessed, authorised, and traceable
- reduce the risk of unintended security or service impact
- support safe and repeatable operational change

## Principles / Policy Statements

Changes that may affect information security, resilience, compliance, or customer service must be subject to defined assessment and approval.

The level of review and approval must be proportionate to the risk and impact of the change.

Emergency changes may be implemented where necessary to reduce immediate risk or restore service, but they must be documented and reviewed retrospectively.

Changes to production infrastructure, identity systems, network controls, security tooling, and CI/CD workflows must receive appropriate scrutiny.

Change records must provide enough information to support accountability, rollback planning, and auditability.

## Roles and Responsibilities

- [Role] must define change management expectations.
- Change owners must ensure changes are documented and approved appropriately.
- Reviewers and approvers must assess impact, risk, and readiness.
- Operational teams must implement changes in line with approved controls.

## Compliance / Exceptions

Unauthorised changes are not permitted. Exceptions must be documented and approved through the defined process.

## Monitoring and Review

This policy should be reviewed through change metrics, incidents, failed changes, exceptions, and audit findings.

## Related Documents

- Information Security Policy
- Secure Development Policy
- Change Approval Procedure
- Production Deployment Procedure

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |