Change Management Policy
Change Management Policy
| Field | Value |
|---|---|
| Document ID | POL-003 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
1. Purpose
All changes to Wealthy’s products, platforms, and operational systems must be identified, evaluated, documented, approved, and tracked. This policy sets the commitment; the Change Management Standard (STD-004) captures the operational process (stages, cadence, tooling).
2. Scope
Applies to any change affecting:
- Production software (application code, APIs, schemas)
- Infrastructure (cloud, network, CI/CD pipelines)
- Security configurations
- Customer-facing business processes
- Third-party integrations
- Compliance-relevant controls
Not in scope: routine configuration within approved change windows, emergency hotfixes explicitly authorised by the CTO.
3. Principles
- Every change is tracked. No change reaches production without an associated record in the approved tracking system.
- Separation of duties. The person proposing a change is not the person approving it.
- Stakeholder alignment. Business, technical, and compliance impacts are reviewed before implementation.
- Risk-proportionate review. Review depth scales with change risk; simple changes use lightweight flow, high-impact changes escalate.
- Reversibility. Every change has a documented rollback plan before deployment.
- Audit trail. Approval history, rationale, and post-implementation review are retained for the regulatory retention period.
4. Approval Authorities
| Change type | Approver |
|---|---|
| Technical architecture / infrastructure | CTO (interim CISO) |
| Business process affecting partners or customers | Operations Manager + Product Manager |
| Budget impact above threshold | Finance Team |
| Security controls / regulatory-relevant | CTO + Compliance |
| Emergency hotfix (production outage, security incident) | CTO — post-hoc ratification required within 5 business days |
5. Emergency Change
Changes required to resolve an active security incident, regulatory deadline, or production outage may be authorised by the CTO without the standard review cycle. Emergency changes must:
- Be logged immediately in the tracking system
- Receive post-hoc review within 5 business days
- Be subject to full retrospective documentation
Excessive use of the emergency channel is a finding and is reviewed at quarterly ISRMC.
6. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Product Manager | Owns change intake, documentation, stakeholder review, sprint coordination |
| CTO (interim CISO) | Technical + security review, approval for technical changes |
| Engineering Teams | Effort estimation, implementation, rollback readiness |
| Operations Manager | Business process validation |
| Compliance Team | Regulatory review, compliance sign-off where required |
| Finance | Budget approval above threshold |
| Business Team | Business need validation |
7. Governance
- All change records are retained in the approved tracking system for the regulatory retention period (see Log Management Standard (STD-012)).
- Change-management process compliance is reviewed monthly by the Operations Manager.
- Annual external audit covers change-management trail as part of the cyber assurance scope.
- Metrics (failure rate, rollback rate, emergency-change frequency) are reported quarterly to ISRMC.
8. Exceptions
Any exception to this policy follows the Exception Management Policy (POL-013). No exception is valid without written CTO (interim CISO) approval and documented compensating controls.
9. Operational Standard
For the concrete process — 8-stage flow from intake to post-implementation review, Plane board conventions, weekly sprint cadence, emergency change request form, tooling — see the Change Management Standard (STD-004).
The Standard is maintained by the Product Manager + CTO and updates with operational practice. This Policy is reviewed annually by the Board.
Reviewed annually. Last revision: April 2026. Contact: security@wealthy.in.