Change enablement, if not implemented properly, can disrupt business processes and lead to downtime. Many organizations haven't established distinct stages to document the entire change process. This often leads to IT environments where the success of an enacted change relies on a single subject matter expert. This isn't efficient and can be unmanageable and stressful for the IT team.
Let's look at the IT department at Zylker Tech, which has developed an emerging video marketing platform. The organization wants to revamp its change enablement process, and realizes that ManageEngine ServiceDesk Plus will help it achieve its process optimization goals.
Zylker Tech aims to increase its reach in the marketplace. However, to earn the trust of large-scale enterprise clients, Zylker Tech requires an ISO 27001 compliance certification. The CIO tasks Zylker Tech's IT manager to achieve this, and the process begins.
Zylker Tech's change practices and implementation often depend on a couple of senior technicians, Mark and Mary. Without a well-documented and established change process, the onus of change implementations rested on them.
Zylker's existing change enablement process wouldn't cut it when tested against the ISO standards. Its processes weren't well governed or documented. Mark and Mary were selected because they could wear multiple hats, including reviewing changes, project impacts, and keep stakeholders in the loop about downtimes.
To bring a more structured approach to the change enablement in Zylker Tech, Mark and Mary were assigned to lead the change management overhaul to get it up to the ISO standards.
Gearing up for compliance
After taking stock of the Annex A Control 8.32 of ISO 27001:2022, Mark and Mary distilled the requirement to six components that needed to be implemented in the change enablement procedure.
With clarity over the work that needed to be accomplished, Mark and Mary framed the policies and documentation based on the requirements. Now, the plan was ready, and the change management optimization steps were on paper.
To help standardize the practice, Zylker Tech required a platform that could enforce the set change process policies. They banked on ServiceDesk Plus to help them achieve change enablement compliance with ISO 27001.
These were the six components of the ISO 27001's change management requirements that ServiceDesk Plus helped provide for Zylker:
1. The organization should be able to map and assess the change impact on the IT infrastructure.
The change module with ServiceDesk Plus breaks down a change process into eight stages: Submission, Planning, Change Advisory Board (CAB) evaluation, Implementation, User Acceptance Testing, Release, Review, and Close.
For each type of change that an IT organization manages, a template can be created with the preferred stages for these eight stages. The template enables change admins to document the relevant details with sections within each stage that are available both predefined and through custom defined fields.
With ServiceDesk Plus, Zylker Tech leveraged the out-of-the-box dedicated sections to document the impact details that change would have on the IT infrastructure. The impact details, rollout plan, and back-out plan can be documented under the Planning stage of the change request. Apart from predefined sections, Mark and Mary are also able to add any type of fields to capture the required information at each stage of the change.
Within the change request, Zylker is able to associate the impacted CIs. ServiceDesk Plus enables organization to create visual relationship maps of the IT infrastructure and services. So when the CIs are associated within the change request, Zylker is able to access the relationship map between the CIs from the change request, owing to ServiceDesk Plus' built-in CMDB. These capabilities together help Zylker Tech satisfy the requirement.
2. The organization should implement controls for changes. These authorization controls should be properly documented with appropriate access.
Mark and Mary were able to record the accountable stakeholders of the change requests, from within the change template. Accountability in ServiceDesk Plus is handled through Change Roles which control the access permissions for every stakeholder who made a change. Each Change Role offers view, edit, and approval privileges at each stage of the change. ServiceDesk Plus provides several predefined Change Roles, such as Change Approver, and Reviewer, that Zylker Tech leveraged during their change process.
Apart from the change roles that were available out of the box, they were also able to create new roles with granular permissions through each stage of the change, which further gave them better authorization control over their changes.
Under the CAB evaluation stage, Zylker Tech was able to set the approval process with multiple CABs. These helped them with a streamlined approval process and enabled authorization control over their change. Only when the multiple levels of CAB approve the change, would it move to the Implementation stage of the process in ServiceDesk
3. Notification of the proposed change to all internal and external stakeholders
When stakeholders of the proposed change needed to be informed, Mark and Mary relied on ServiceDesk Plus' Notification Rules that provide automated notifications activated from a simple checkbox.
Apart from Notification Rules, Mark and Mary realized they needed more contextual notifications during the change process. To comply with this requirement, they used the Action nodes within Change Workflows in ServiceDesk Plus.
Change Workflows in ServiceDesk Plus are visual pathways that guides the change through all the stages-from submission to closure-with automated actions executed as configured in the workflow. The Change Workflows offer four types of nodes: Stage, Condition, Action, and Branch.
A Stage node can direct a change request to a specified stage and status in the change process. The Condition node provides multiple pathways for the change to move depending on any parameter of the Change. The Branch node forks and joins the change pathway, and Action node executes notifications, approvals, field updates, tasks, timers, and custom functions.
Zylker Tech leveraged the Notification action node in their Change Workflows to alert stakeholders of any activity that required attention and acknowledgement.
Mark and Mary were also able to fetch variables such as the change subject values directly from the change request to populate the notification. Therefore, they were able to create notification templates that could be reused across various change workflows, rather than configuring new notifications for each of Zylker Tech's workflow.
4. The organization should adhere to ISO 27001:2022 Annex A 8.29 by having testing and acceptance tests for changes.
Mark and Mary ensured that Zylker Tech had relevant user-acceptance tests for a subset of users, or through other methods, before deploying the change. Then, they were able to document this with dedicated stages in the change process in the ServiceDesk Plus platform.
5. The implementation of the change should include contingency plans and procedures, including a fallback plan.
ServiceDesk Plus enabled Zylker Tech to document the Impact Details, Rollout Plan, and Backout Plan directly in the planning stage of the proposed change. While these fields came configured out of the box, Zylker Tech could also add the required field in each stage as needed.
During Implementation, the proposed change could be handled with tasks, or as an IT project with the integrated project management module of ServiceDesk Plus. This ensured Zylker Tech was implementing changes with full visibility and control.
6. Maintain records of all modifications and activities during the change procedure.
With ServiceDesk Plus, the history tab created a perfect audit trail of all the activities that occurred during the entire change procedure. This helped Zylker Tech take a step closer to achieving the ISO 27001:2022 compliance standard.
ServiceDesk Plus' change enablement module, built using industry best practices, helped Zylker Tech accomplish their ISO 27001:2022 standards requirements. Once Mark and Mary sorted through the process, and configured ServiceDesk Plus to manage changes, they moved beyond being involuntary owners of every change implemented in the environment. They benefitted by returning to tasks they preferred to handle. Zylker Tech benefitted by more efficient and streamlined processes, and greater compliance with ISO standards.
Zephan is the product marketing analyst for ManageEngine's ESM suite of products. He loves to create resources that educates IT service desk folks on the best practices for making the most of ITSM. He also helps ServiceDesk Plus customers reach their IT goals by conducting engaging live sessions on using the platform to its full potential. When he is not focusing on ITSM, you can find him fervently discussing MotoGP.