What is change management? Types and steps

A defined change management process enables your organization to mitigate risk and reduce disruption

September 14, 2022

Blue and violet gradient

Change management refers to an organization’s approach in dealing with any adjustments or transitions to its internal or external processes. Keeping track of all changes is a combined effort across teams that involves a series of steps, including planning, testing, implementing, documenting, and evaluating the effects of any changes.

Change management strategies also need to be approved by the executive team and periodically reviewed to ensure the necessary controls are clearly communicated and result in effective implementation.

Types of change management

Changes within an organization depend on specific goals, urgency, and the potential benefits brought about by the change. While there are no set definitions, changes generally fall into one of the following types:

Exceptional change: An isolated event that has a limited impact. For example, an employee name change would require new identification and account updates, but otherwise won’t alter major aspects of their role.

Incremental change: Gradual changes that may go unnoticed at first, such as updates to existing software platforms. These changes may eventually overturn the previous state, but roll out as small improvements that don’t require any major shifts.

Pendulum change: Sudden radical swings, often from one state or view to the opposing extreme. This change creates the most disruption in the short term. Examples include expanding into a new market or moving from in-office to fully remote teams.

Paradigm change: Internalized changes that result in new behaviors and ways of working that become the norm. The most recommended type, paradigm changes integrate into current activities and create a new system. For example, shifting from in-person meetings to a format that uses synchronous and asynchronous communication.

5 steps in the change management process

The first thing auditors will look for is whether an organization has a formal change management process in place. This can be any form of documentation that outlines the way changes are proposed and implemented.

One recommended approach is to look at the change management process as a cycle with five main steps:

1. Request for change: This is the most critical, as it involves documenting the reason for the change and its projected scope. All conditions and details explaining how the change will be implemented are listed down during this step.

2. Impact analysis: The next step is to determine any potential impacts the change is likely to have on the organization. A breakdown of all the benefits and risks helps stakeholders determine the importance of the change and decide whether it should be approved or denied.

3. Approve or deny the change: The projected scope and impact analysis from the first two steps are usually enough to decide whether the change is needed in the organization. Additional discussions or questions are also clarified during this step.

4. Implement change: Implementing approved changes involves a series of testing and approvals. It’s important to outline the individuals and teams involved in making the changes, as well as when they are needed throughout the process.

5. Review and report change: Finally, recording the changes and outcomes of those changes brings the cycle back to the beginning, where additional or future changes can be considered. Reviews also verify whether changes are working as intended.

Every change will naturally have a different approval rate and implementation framework, depending on the type of change and other company priorities.

It’s important to document and communicate every step of the change, including the individuals or teams responsible and the exact tasks required to implement the change.

In summary, a change management process helps organizations move away from haphazard shifts to a well-defined and controlled approach.

Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.

You may also like


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more


Technology Risk & Compliance

Prioritizing the right InfoSec frameworks for your organization

In this free eBook, we explore the basics of three top InfoSec frameworks and how to decide which is the best fit for your organization.

September 27, 2023

Learn more