A change model is a repeatable way of dealing with change. A change model defines specific steps that will be followed for any given change. Change models can be very simple with limited requirements for pre-approval before a change and post review after a change, or they can be quite complex, with many steps that require both approval and review.
Most change models follow the Plan Do Check Act (PDCA) four stage cycle for process management that was originally devised by W. Edwards Deming. In case you missed reading about it, here's a quick overview of PDCA.
Plan: design or revise processes that support the IT services. Plan establishes policy, objectives, processes, and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization's overall policies and objectives. In relationship to change management, Plan focuses on planning for changes by communicating with others on the team about the proposed changes, reviewing the proposed changes, and not allowing changes to happen ad hoc, willy-nilly, or surreptitiously.
Do: implement the plan and manage the processes. Do implements and operate the policy, controls, processes, and procedures. In relationship to change management, Do focuses on conducting the approved changes in a timely manner and communicating with anyone necessary about the changes as they are about to take place, taking place, and have taken place.
Check: measure the processes and IT services, compare with objectives and produce reports. Check assesses and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. In relationship to change management, Check focuses on testing and communicating the approved and implemented changes to ensure that they've met their definition of success.
Act: plan and implement changes to improve the processes. Act takes corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement. In relationship to change management, Act focuses on post implementation reviews to identify opportunities for improvement in the overall change model in the future.
The basic change management process
If you didn't notice, threaded throughout the four point process above is the message that the various team members have to communicate with each other. In terms of change management, there are four roles that must take part in the RACI process; the change requester, change owner, change advisors, and change manager.
The change requester: is the person who initiates the request for change - whether the person is within a business unit, the IT group, or a vendor.
The change owner: is the person responsible for planning and implement the approved change.
The change advisors: (or Change Advisory Board) is a cross-functional group that evaluates change requests and either approves the changes, denies them, or modifies them.
The configuration manager: is the person responsible for maintaining the configuration management database (which can even be a Word or Excel file) for the system in question. This person will also be responsible for scheduling the proposed changes.
The change manager: is the overall authority for the change management process and assigns the responsibility to a change owner once a change has been approved.
Adding these roles to the mix, looking at the following diagram you can see how the change management process moves through the various staff members and how it has picked up a few steps.
The change management process by role
However, information technologists aren't particularly adept at team communication. Therefore, in order to aid the PDCA process and ensure that your team are communicating with each other properly, you'll want to turn to another four-letter acronym called "RACI" to make your life easier, which we've discussed in depth earlier in the book.
Below is the RACI chart for our initial change management model. Notice which personnel are consulted and which are informed at the various steps. Remember that consulted means that the conversation is two-way, with the person being consulted having input. Informing someone means to simply update them on the progress without asking for their input into the process step.
The RACI table for our change model
This is a sample of what is available in the Change Management Kit, which includes a PDF guidebook, an Excel audit worksheet, and the professionally designed forms you'll need to get you started
