Change Management ITIL SOP

Standard operating procedure for reviewing, approving, implementing, and reviewing IT changes using an ITIL-aligned change management process.

Steps

• Log the change request
  The change initiator records the change request in the change management system and includes the change title, business justification, affected services, requested implementation window, and requester contact information. The initiator classifies the change as standard, normal, or emergency if your process requires an initial classification.
• Verify completeness of the request
  The change manager verifies that the request includes scope, business reason, affected configuration items, dependencies, test evidence if available, implementation window, and rollback approach. If required information is missing, the change manager returns the request to the initiator for correction.
• Assess risk and impact
  The change manager and relevant technical owner assess the change for service impact, security impact, operational risk, customer impact, and dependency conflicts. The team documents the risk rating, expected downtime or degradation, test requirements, and any tolerance limits for the change window.
• Consult stakeholders and CAB
  The change manager notifies affected stakeholders, service owners, and the Change Advisory Board (CAB) as required by the change type and risk level. The change manager records feedback, objections, scheduling constraints, and any required conditions for approval.
• Approve, defer, or reject the change
  The authorized approver reviews the risk assessment, implementation plan, rollback plan, and stakeholder input. The approver decides whether to approve the change, defer it for more information or a better window, or reject it based on business risk and operational readiness.
• Prepare the implementation window
  The change implementer confirms the maintenance window, assigns roles, validates access, and verifies that monitoring, backups, and rollback steps are ready. The implementer communicates the planned start time, expected service impact, and escalation contacts to affected parties.
• Implement the approved change
  The implementer performs the change exactly as approved, follows the documented sequence, and records the actual start time, end time, and any deviations from the plan. The implementer pauses and escalates if the change exceeds tolerance limits, produces unexpected errors, or affects unapproved systems.
• Verify service stability
  The system owner or designated verifier checks service health, error rates, performance metrics, and user-facing functionality against the acceptance criteria. The verifier confirms whether the change met the expected outcome and whether any incident or non-conformance must be opened.
• Document deviations and incidents
  The change manager records any deviation from the approved plan, including timing changes, failed steps, rollback actions, service degradation, or incidents. The change manager links related incident records and identifies corrective and preventive actions if required.
• Complete post-implementation review
  The change manager conducts a post-implementation review for normal and high-risk changes. The review confirms whether the change met the business objective, whether the implementation followed the approved plan, whether rollback was needed, and whether any follow-up actions are required.
• Close the change record
  The change manager verifies that approvals, implementation notes, test results, incident links, and post-implementation review outcomes are attached to the record. The change manager then closes the change in the system and retains the documented information according to the organization’s record retention requirements.
• Escalate rejected or failed changes
  The change manager escalates rejected changes, failed implementations, or unresolved service impacts to the service owner, incident manager, or problem manager as appropriate. The escalation includes the reason for rejection or failure, current service status, and the required next action.