Change Control – Freezes & Risk Evaluation Policy
The purpose of this policy is to ensure that IT staff recognizes that changes to computer systems tend to
destabilize those systems. It is [company name]’s experience that there will be at least some systems errors
attributable to the Systems Requests that were not captured and resolved during the Acceptance Testing
phase. There also may be critical last-minute changes associated with a Systems Request for various
Therefore, it is the purpose of this policy to place restrictions on the number and complexity of systems
changes for periods of time around key schedule systems activities (e.g. month-ends, year-ends). Such
restrictions are prudent to address errors.
A “change” is defined as anything that impacts the total base processing solution (both business and
Mainframe/data center hardware.
Infrastructure and architecture components.
Bottom-level hardware (printers, desktop PCs, etc.).
Outsourced services or components critical to operations.
All change requests will be reviewed at a change control weekly meeting, to be conducted by the IT leader
and project sponsor. This review process will be documented using the “Change Discussion Draft”
template associated with this policy.
There are two types of freezes: “soft” and “hard.” Change control procedures at [company name] apply the
Soft Freeze during periods associated with month-ends, while the Hard Freeze is applicable for periods of
time surrounding year-end activities. Freeze characteristics are as follows:
During a Soft Freeze period, the following rules will apply:
The “Risk Evaluation Matrix” template must be completed for all proposed changes and submitted
to [name of IT leader].
Info-Tech Research Group
Non-essential functionality included with any changes must be easily removed should any
Approval to implement changes (other than emergency fixes)