University of Gloucestershire. Change Control Process






Full text


University of Gloucestershire

Change Control Process

Document Control

Issue/Amendment Record


Date of


Reason for Issue



New Change Request Form



Change to Document Owner



Move to electronic process

Document Ownership

Name and Title




Clive Fenton

ICT Manager University of



Clive Fenton

ICT Manager

University of Gloucestershire



Clive Fenton

ICT Manager University of Gloucestershire



Information Owners are Responsible for the integrity, confidentiality and availability of the information they own. They take advantage of the services of other University teams (particularly systems development and ICT) in the delivery and operation of their information systems. They retain ultimately responsibility for their information and need to ensure that the services they receive from other departments are appropriate for their needs.

When a change is needed that may affect the integrity, confidentiality and availability of the information they own, the information owners must assess the business benefits against the risks before they agree to the change taking place. They may also check to ensure appropriate back-out plans and test plans are in place prior to approving a change.

This change control procedure is designed to ensure that all interested parties (information owners, system developers and ICT) all approve changes before they are made.

Definition of Change

“Any move, addition, removal or change to system functionality in the live environment that may affect its information’s Integrity, Availability or



Change Control is not needed for changes to: Desktop Devices

Individual Users Accounts (but separate forms are used to record this activity)

Change Control is needed for changes: Affecting over 5 users

Software changes developed internally or by third party support teams, system access issues and system software upgrades

Hardware, software, system components, services and process changes for anything deliberately introduced into the ICT environment that could affect its functioning.

Change Control Roles Change Requester


Information Owner

This is the person ultimately accountable for the Integrity, Availability and Confidentiality of the information potentially affected by the change. System Developer

For many systems a representative of the system development (application software) team is involved in approving a change. ICT Representative

In all cases, an ICT representative is involved in approving changes. Change Proposer

This is the person who completes the Change Request form, is familiar with the scope of the Change, and who will answer questions around the Change. This could be a Project Manager for high-level changes or Systems Developer or Administrator for technical changes.

For example, if the Change Requester is unable to complete the Change Request form themselves, or is unfamiliar with the technical environment, the Change Proposer will raise the documentation and forms necessary to support the Change Request.

Change Implementer

All people, internal and external to the University, who will be completing work as part of a Change.

Change Assurer

An individual nominated by the Change Requester to provide feedback on the success or failure of a Change. Normally, this would be the MIS system specialist responsible for the system affected by the change. Change Control Board (CCB)

The Change Control Board (CCB) is made up of University members as follows:

• ICT Manager (The Change Manager) • Network Manager

• Nominated System Developers and Administrators

• Other University members of staff agreed by the ICT Manager through the Change Control process

CCB members are notified through MS SharePoint of proposed changes. Decisions will be taken at the weekly Change Control Board.


Change Manager

The ICT Manager is the nominated member of the LIS Management Team who chairs the Change Control Board.

In the Change Manager’s absence, this role can be filled by the University Network Manager.

Process Description

Change Control notifications and process auditing are managed through the use of SharePoint email alerts.

The Change Proposer will indicate the system and application to which the change relates on the form.

A risk assessment is carried out to determine the possible extent of the impact of the change and the number of users and or departments potentially affected according to the following table:

For risks marked as High or Very High, backout plans will be required. They may also be required for lower risk changes at the discretion of the Change Board.

A description of the change is required and the potential benefits of the change should be explained in business terms – suitable for the

information owner to assess.

Unless test plans and backout plans are included, the reasons why they are considered unnecessary should be included.

Proposed Changes will be reviewed on Mondays by the Change Control Board. “Authorised” or “Declined” decisions will be applied to the change control form. The Change Manager will also notify the Change Proposer (if not a member of the CCB). Changes without the required number of votes will not be progressed.

The ICT Help Desk will receive notification of approved decisions through Share Point

Good practise should be followed for all changes; firstly test to ensure systems are working as expected. Once the change has occurred, testing (including user testing) should be carried out. As necessary the change may be backed out and full testing repeated. Sufficient time should be

Low – Unlikely to impact a business function or any users Medium – May affect a business function or Unlikely to affect many business functions

High – Significant Risk of affecting a business function or May affect many business functions


allowed for a change to be backed out and testing re-applied in case this is necessary as part of the change plan.

Feedback from the nominated Change Assurer is to be added to the form after the implementation date (as an independent authentication of

Changes). Comments are to be added to the original Change. Any issues should be feedback to the Change Proposer and escalated to the ICT Manager if appropriate

Completed Changes are reviewed at the beginning of each month by the Change Manager.

Emergency Changes

In the case that the need for an Emergency Change arises, verbal

authorisation from the ICT Manager or deputy is sufficient for the Change to be progressed, provided that the paperwork normally required (defined above) is completed by the Change Proposer and authorised by the

Management Team Member as soon as is reasonably possible after the Emergency Change has been implemented.

Unauthorised Changes

If you become aware of a Change that has occurred without authorisation, please send a description of the Change to the ICT Manager

If you have yourself made a Change without authorisation which you subsequently believe should have been subject to the Change Control Process, please notify the ICT Manager and submit a retrospective Change Request immediately.

University Web Site Changes

For this system, the information owners are offered a service by the Web development team that assures them of high levels of availability and appropriate levels of confidentiality. For this system, the web development team then take on the responsibility for providing this service and may subsequently approve changes on behalf of all of the individual

information owners as necessary to continue to deliver the service.

Notifications and Process Auditing Guidelines

Change Control notifications and process auditing are managed through the use of SharePoint email alerts.

All members of Level 2 and 3 are to set up two alerts in SharePoint. These will trigger emails to be sent when a new Change Request is proposed and when one of your own items is updated by someone other than yourself.


While viewing the Change Control List, click on Actions and select Alert


1. Alert Title: Change Control (New Item)

Change Type: New items are added

When to Send Alerts: Send email immediately 2. Alert Title: Change Control (My Items)

Change Type: Existing entries are modified

Send Alerts for These Changes: Someone else changes an item created by me When to Send Alerts: Send email immediately

The Change Manager will also set up an alert, as per 1 above.

All members of Level 1 are to set up an alert, triggering an email to be sent when a Change Request has been completed.

1. Alert Title: Change Control (Completed Item)

Change Type: Existing items are modified

Send Alerts for These Changes: Someone changes an item that appears in ‘Status (Completed)’

When to Send Alerts: Send email immediately

The Change Manager and the Network Manager are to add the mailbox ‘ictccaudit’ to their list of mailboxes in Outlook, so as to be able to monitor process auditing when necessary. This mailbox has already been

configured to receive alerts regarding all changes to Change Control list items.

Use of SharePoint – Change Control List

Items can be viewed and edited by clicking on the title. If printouts are required, print the viewed version rather than the editable form.

The list of items is grouped according to the setting of the Status field. Change View to filter the list by Category or by Status. The view named

Change Proposer (Me) shows only the items which you have created, Change Implementer (Me) shows only the Change Controls which you

were or are responsibly for carrying out; choose ‘All Items’ to see everything;

Please do not add any new Public views, or try to change the existing ones. You can, however, create your own Private views.

You can search the list, but note that SharePoint catalogues entire pages rather than just the list data. This means that the filter pages, etc, will appear amongst any results, but the icon for the result will indicate which results are form pages.

Note that it does not appear to be possible to change the Change Proposer’s name once a form has been submitted.





Related subjects :