S 2.426 Integration of patch and change management into the business processes

Initiation responsibility: Top Management, Change Manager

Implementation responsibility: Change Manager

Depending on the type of the changes carried out, it can be necessary that an application or an IT system must be restarted with the effect that they cannot be used in productive operations over a short period of time. In addition, tests that have been carried out carefully cannot always prevent difficulties from occurring in the affected application or even standstill and thus failure of a system due to the distribution of the hardware or software changes.

For this reason, the current situation of the affected business processes must also be taken into consideration irrespective of any performed tests. For example, it may be perfectly reasonable to perform a hardware or software change a few days later, although the affected system is classified critical to security at the relevant time. In some cases, the system renders important services which the organisation relies on. The management could assess the risk of an interruption of business processes by the patch and change management to be higher than the risk by a vulnerability that has not been fixed yet.

In order to distribute hardware and software changes, it is thus necessary to inform all parties involved regarding upcoming changes and the downtimes to be expected. The individual parties include all specialised departments which require the system. In particular, specialised departments whose ability to perform tasks depends on the affected applications and IT systems must be involved in the prioritisation of changes and in the scheduling.

There must be at least one escalation level above the Change Manager and the CAB which takes the decision regarding the prioritisation (see S 2.422 Handling change requests) in case of an emergency. This escalation level must be selected by the management of the organisation.

Review questions:

• Is the current situation of the business processes affected by the planned changes taken into consideration?
• Are the relevant specialised departments informed on upcoming changes?
• Is there an escalation level whose members are part of the organisation's management, which can take decisions regarding priority and scheduling of a hardware or software change in cases of doubt?