Secure Change Management for NIS2 and DORA
It was 4:30 PM on a Friday when Maria, the CISO of Finacore, saw the dashboard turn red. API failures were rising, transaction timeouts were spreading, and a major banking client’s connection had dropped completely. The team assumed the worst: DDoS, credential compromise, or a live exploit.
The root cause was more ordinary and more damaging.
A well-intentioned developer had pushed a small performance hotfix directly to production before the weekend. There was no formal change request, no documented risk assessment, no approval trail, no security testing evidence, and no rollback plan beyond “revert it if something breaks.” The fix introduced a subtle API compatibility issue that severed the customer connection and triggered a frantic rollback.
By Monday, Maria knew the outage was not just an engineering failure. Finacore was a SaaS provider to the financial sector, processed EU customer data, depended on cloud and identity providers, and was preparing for ISO/IEC 27001:2022 certification. DORA applied from 17 January 2025. NIS2 national measures had been moving into force across the EU since late 2024. The same failed change could now be examined as an ICT risk event, a cyber hygiene weakness, a supplier-dependency issue, a GDPR accountability failure, and an audit finding.
The question was no longer, “Who approved the ticket?”
The real question was, “Can we prove this change was risk assessed, approved, tested, deployed, monitored, reversible, and reviewed?”
That question defines secure change management in 2026.
Why secure change management became a board-level control
Secure change management used to be treated as an ITIL workflow hidden inside Jira, ServiceNow, spreadsheets, or email approvals. In regulated digital businesses, that is no longer enough. Change management is now part of operational resilience, cyber hygiene, ICT risk governance, privacy accountability, and customer assurance.
NIS2 applies broadly to many public and private entities in listed sectors, including digital infrastructure providers such as cloud computing services, data centre services, content delivery networks, trust service providers, electronic communications providers, and B2B ICT service management providers, including MSPs and MSSPs. For SaaS, cloud, MSP, MSSP, fintech, and digital service SMEs, NIS2 scoping is often one of the first compliance questions customers ask.
NIS2 Article 20 requires management bodies to approve cybersecurity risk-management measures, oversee their implementation, and follow cybersecurity training. Article 21 requires appropriate and proportionate technical, operational, and organisational measures across risk analysis, incident handling, business continuity, supply-chain security, secure acquisition, secure development and maintenance, assessment of control effectiveness, cyber hygiene, training, cryptography, HR security, access control, asset management, authentication, and secure communications.
A production change can touch nearly all of those areas.
DORA raises the pressure for financial entities and ICT service providers supporting financial services. DORA Article 5 addresses governance and organisation. Article 6 establishes the ICT risk management framework. Article 8 covers identification of ICT assets, functions, dependencies, and risks. Article 9 covers protection and prevention. Article 10 covers detection. Article 11 covers response and recovery. Article 12 covers backup and restoration. Article 13 covers learning and evolving. Article 14 covers communication. Articles 17 to 19 cover ICT-related incident management, classification, and reporting. Articles 24 to 26 cover digital operational resilience testing, including advanced testing where applicable. Articles 28 to 30 cover ICT third-party risk, contracts, due diligence, monitoring, exit strategies, and control over critical or important dependencies.
If a change modifies a payment API, cloud firewall, identity provider integration, database parameter, logging rule, backup job, encryption setting, monitoring threshold, or supplier-managed platform, it is an ICT risk event. Whether it becomes a resilience success or a regulatory problem depends on how the change is governed.
ISO/IEC 27001:2022 provides the management system backbone. Clauses 4.1 to 4.4 define the ISMS context, interested parties, obligations, scope, and continual improvement. Clauses 5.1 to 5.3 require leadership, accountability, policy, resources, and assigned responsibilities. Clauses 6.1.1 to 6.1.3 require risk assessment, risk treatment, Annex A comparison, the Statement of Applicability, risk treatment plans, and risk-owner approval. Clauses 8.1 to 8.3, 9.1 to 9.3, and 10.1 to 10.2 require controlled operation, risk reassessment, monitoring, internal audit, management review, corrective action, and continual improvement.
That is why change management cannot be bolted onto engineering after the fact. It must operate inside the ISMS.
The ISO control at the center: 8.32 Change Management
In ISO/IEC 27002:2022, control 8.32 Change Management requires changes to information processing facilities and information systems to be subject to change management procedures. Clarysec treats this as a control system, not as a ticket status.
Zenith Controls: The Cross-Compliance Guide Zenith Controls maps ISO/IEC 27002:2022 control 8.32 Change Management as a preventive control supporting confidentiality, integrity, and availability. It aligns with the Protect cybersecurity concept and connects change management to application security, system security, network security, operational resilience, and audit evidence.
That mapping matters because change management is not designed to slow business down. It is designed to prevent avoidable disruption, unauthorized exposure, integrity failure, configuration drift, missing logs, failed recovery, and untested supplier impact.
The Zenith Controls book maps 8.32 to several supporting ISO/IEC 27002:2022 controls:
| Supporting ISO/IEC 27002:2022 control | Why it matters for secure change management |
|---|---|
| 8.9 Configuration Management | Configuration management defines the known-good baseline, while change management governs authorized alteration of that baseline. |
| 8.8 Management of Technical Vulnerabilities | Vulnerability remediation and patching are governed changes, so the change workflow creates the execution and evidence trail. |
| 8.25 Secure Development Life Cycle | The SDLC produces software changes, while change management controls movement into production. |
| 8.27 Secure System Architecture and Engineering Principles | Architecture-impacting changes should trigger architecture and security review before implementation. |
| 8.29 Security Testing in Development and Acceptance | Significant changes should include functional, security, compatibility, and acceptance testing evidence before approval. |
| 8.31 Separation of Development, Test and Production Environments | Environment separation allows changes to be tested safely before production deployment. |
| 5.21 Managing Information Security in the ICT Supply Chain | Supplier-initiated changes must be assessed when they affect systems, data, services, or dependencies. |
| 5.37 Documented Operating Procedures | Repeatable procedures make change handling consistent, auditable, and scalable. |
The cross-compliance insight is simple: one disciplined change workflow can generate evidence for ISO/IEC 27001:2022, NIS2, DORA, GDPR, NIST CSF 2.0, and customer assurance if it is designed correctly.
What Clarysec means by a secure change
A secure change is not merely “approved.” It is proposed, risk assessed, authorized, tested, implemented through controlled means, monitored after deployment, documented, and reviewed. It has a business owner, technical owner, risk owner, affected assets, affected services, data impact, supplier impact, testing record, approval record, rollback decision, and post-implementation evidence.
The enterprise foundation is the Change Management Policy P05 Change Management Policy, which states:
To ensure that all changes are reviewed, approved, tested, and documented prior to execution.
From section “Objectives,” policy clause 3.1.
The same policy anchors the ISO control basis:
Annex A Control 8.32 – Change Management: This policy fully implements the requirement to manage changes to information processing facilities and systems in a planned and controlled manner.
From section “Reference Standards and Frameworks,” policy clause 11.1.3.
It also gives auditors a clear evidence expectation:
All change requests, reviews, approvals, and supporting evidence must be recorded in the centralized Change Management System.
From section “Policy Implementation Requirements,” policy clause 6.1.1.
For smaller organizations, the Change Management Policy - SME Change Management Policy - SME keeps the process proportionate without making it informal. It requires:
A risk level (Low, Medium, High) must be assigned before approval.
From section “Policy Implementation Requirements,” policy clause 6.2.3.
It also makes senior governance explicit for significant changes:
All major, high-impact, or cross-departmental changes must be approved by the General Manager.
From section “Governance Requirements,” policy clause 5.3.2.
And it preserves a basic evidence trail:
Maintains a basic Change Log recording dates, change types, outcomes, and approvers.
From section “Roles and Responsibilities,” policy clause 4.2.2.
This is the proportionality principle in practice. Enterprises can use centralized workflow tools, CAB approval, CMDB links, CI/CD evidence, security gates, and management dashboards. SMEs can use a lightweight change log, Low, Medium, and High risk classification, defined approval thresholds, rollback planning, and retrospective review of emergency changes. Both can produce evidence. Both can reduce risk.
The Friday change, done the right way
Return to Maria’s Friday incident. A weak change process asks, “Was someone comfortable with the release?”
A secure change process asks:
- What asset, service, data flow, customer function, and supplier dependency are affected?
- Is this standard, normal, emergency, or high-risk change?
- Does it affect a DORA critical or important function?
- Does it affect a NIS2 essential or important service?
- Does it process personal data under GDPR?
- Has the change been tested outside production?
- Does the test include security, compatibility, performance, monitoring, and rollback validation?
- Who owns the risk of deploying, and who owns the risk of not deploying?
- What evidence will remain after implementation?
- What monitoring will confirm the change did not degrade resilience?
- If it fails, does the incident workflow activate?
The Zenith Blueprint: An Auditor’s 30-Step Roadmap Zenith Blueprint makes this operational in the Controls in Action phase, Step 21, covering controls 8.27 to 8.34:
Change is inevitable, but in cybersecurity, uncontrolled change is dangerous. Whether it’s deploying a patch, updating software, tweaking configurations, or migrating systems, even the smallest change can introduce unexpected consequences. Control 8.32 ensures that all changes to the information environment, particularly those impacting security, are evaluated, authorized, implemented, and reviewed through a structured and traceable process.
The same Step 21 gives the rhythm of implementation:
At its core, effective change management is a repeatable workflow. It begins with a clear proposal, outlining what’s changing, why, when, and what the potential risks are. All proposed changes should go through authorization and peer review, particularly for production systems or systems processing sensitive data. Changes should be tested in an isolated environment before being rolled out. Documentation and communication are also essential. After implementation, changes should be reviewed for effectiveness.
That is the difference between change control as paperwork and change control as operational resilience.
Cross-compliance mapping: one workflow, many obligations
Regulators and auditors often ask the same question in different language: can the organization control change to protect systems, services, data, and resilience?
| Change management practice | ISO/IEC 27001:2022 and ISO/IEC 27002:2022 | NIS2 | DORA | GDPR | NIST CSF 2.0 and COBIT 2019 lens |
|---|---|---|---|---|---|
| Define change scope and affected assets | ISMS scope, risk assessment, 8.9 Configuration Management, 8.32 Change Management | Supports Article 21 risk-management measures and secure maintenance | Supports Article 6 ICT risk management and Article 8 identification | Supports accountability for systems processing personal data | NIST GOVERN and IDENTIFY expect context, assets, and dependencies; COBIT 2019 expects governed change enablement |
| Risk rate each change | Clauses 6.1.1 to 6.1.3, risk treatment, risk-owner approval | Supports proportionate technical, operational, and organisational measures | Supports risk-based ICT governance and proportionality | Supports appropriate security measures under Article 32 | NIST Profiles support current-state and target-state risk decisions |
| Test before production | 8.29 Security Testing in Development and Acceptance, 8.31 environment separation | Supports cyber hygiene and secure development and maintenance | Supports Article 24 resilience testing and Article 9 protection and prevention | Reduces risk to personal data confidentiality and integrity | NIST PROTECT and DETECT expect validation and monitoring |
| Approve high-risk changes | Leadership, responsibility, operational planning, control operation | Article 20 links management oversight to cybersecurity measures | Article 5 management body responsibility and Article 6 ICT risk governance | Demonstrates controller or processor accountability | COBIT 2019 expects role clarity, accountability, and decision records |
| Document rollback and recovery | Business continuity, backup, documented procedures, incident readiness | Supports incident impact minimization and continuity | Supports Articles 11 and 12 response, recovery, backup, and restoration | Supports availability and resilience of processing systems | NIST RECOVER expects recovery planning and improvement |
| Monitor after deployment | Logging, monitoring, incident detection, performance review | Supports incident handling and control effectiveness assessment | Supports Articles 10, 13, and 17 detection, learning, and incident management | Supports breach detection and security accountability | NIST DETECT and RESPOND expect event analysis and response coordination |
| Manage supplier-initiated changes | 5.21 ICT supply chain, supplier services, cloud services, 8.32 Change Management | Supports Article 21 supply-chain security | Supports Articles 28 to 30 ICT third-party risk and contractual controls | Supports processor oversight and security of processing | NIST GV.SC expects supplier governance, contracts, monitoring, and exit planning |
NIST CSF 2.0 is useful because it can be used by organizations of all sizes and sectors alongside legal, regulatory, and contractual requirements. Its Profiles help teams define Current and Target Profiles, analyze gaps, prioritize actions, implement improvements, and update the program over time. In practical terms, change management becomes not only a control, but a roadmap for reducing operational risk.
Supplier changes: the risk most teams underestimate
Many production failures are not caused by internal code. They come from suppliers.
A cloud provider changes a managed database version. A payment processor modifies an API. An MSSP changes alert routing. A SaaS vendor moves a subprocessor. A managed identity provider changes default authentication behavior. The customer’s control environment changes even if no internal developer touched production.
The Zenith Blueprint addresses this in the Controls in Action phase, Step 23, covering organizational controls 5.19 to 5.37:
A supplier relationship is not static. Over time, the scope evolves. Control 5.21 is about making sure that doesn’t happen in the dark. It requires organizations to control and manage security risks introduced by changes to supplier services, whether those changes are initiated by the supplier or internally driven.
The practical trigger is equally important:
Any change in supplier services that affects your data, systems, infrastructure, or dependency chain should trigger a reassessment of what the supplier now has access to; how that access is managed, monitored, or secured; whether the controls previously in place still apply; and whether original risk treatments or agreements need to be updated.
Under DORA Articles 28 to 30, financial entities must maintain ICT service contract registers, assess concentration risk, perform due diligence, monitor providers, preserve audit and inspection rights, maintain exit strategies, and control critical or important ICT dependencies. Under NIS2 Article 21, supply-chain security is part of the minimum cybersecurity risk-management measures.
Clarysec’s operating model connects supplier change notifications to the internal change workflow. If a supplier change affects data, availability, security, contractual commitments, critical functions, or customer obligations, it becomes a governed change record with risk reassessment, owner approval, testing where possible, customer communication where required, and updated evidence.
Environment separation: the safety net for controlled change
A policy that says “test before production” is meaningless if the organization has no reliable non-production environment.
The Zenith Controls book maps ISO/IEC 27002:2022 control 8.31 Separation of Development, Test and Production Environments as a preventive control supporting confidentiality, integrity, and availability. It directly supports 8.32 because it allows changes to move through development, testing, acceptance, and production with evidence at each gate.
Environment separation also connects to secure coding, security testing, test information protection, and vulnerability management. Patch testing in non-production supports faster and safer remediation. Security testing should occur before production deployment. Test data must be protected, masked, and controlled.
| Evidence item | Example |
|---|---|
| Test environment used | Staging environment name, account, region, build identifier |
| Configuration baseline | Previous and proposed configuration snapshots |
| Test results | Functional, security, compatibility, performance, and monitoring checks |
| Data protection evidence | Confirmation that unmasked production personal data was not used unless approved and protected |
| Promotion record | CI/CD pipeline run, approver, deployment artifact hash, release tag |
| Production validation | Logs, metrics, alert status, customer-impact check, post-implementation review |
This table often separates “we believe it was controlled” from “we can show it was controlled.”
Emergency vulnerability patch: a practical Clarysec workflow
Consider a SaaS provider supporting financial customers. A critical vulnerability is discovered in a library used by its authentication service. The service processes customer identifiers, login metadata, session tokens, and authentication events. The fix must move quickly, but it affects production authentication, logging, session behavior, and a managed cloud identity integration.
Use this workflow.
Step 1: Create and classify the change record
Open the change in the centralized Change Management System or SME Change Log.
| Field | Example entry |
|---|---|
| Change title | Emergency patch for authentication library vulnerability |
| Business service | Customer authentication service |
| Affected assets | Auth API, identity provider integration, logging pipeline, session store |
| Data involved | Customer identifiers, login metadata, session tokens |
| Supplier dependency | Cloud identity provider and managed database |
| Change type | Emergency high-risk security change |
| Risk rating | High |
| Risk owner | CISO or Head of Engineering |
| Approver | CAB, service owner, or General Manager for SME |
This implements the enterprise evidence requirement from the Change Management Policy and the SME requirements for a Change Log and pre-approval risk rating.
Step 2: Link the change to vulnerability and risk treatment
Connect the change to the vulnerability ticket, risk register, treatment plan, and Statement of Applicability. In ISO/IEC 27001:2022 terms, this shows operation of the risk treatment process. In ISO/IEC 27002:2022 terms, it connects 8.8 Management of Technical Vulnerabilities to 8.32 Change Management.
Patching is not an exception to change control. It is one of its most important use cases.
Step 3: Test in a separated environment
Deploy the patched library in staging. Run authentication success and failure tests, MFA tests, session expiry tests, logging verification, alert verification, dependency compatibility checks, performance smoke tests, and regression tests for customer integrations.
Do not use unmasked production personal data unless there is a documented lawful basis and security-approved protection. GDPR Article 5 principles, including data minimisation, integrity, confidentiality, and accountability, should shape test-data decisions.
Step 4: Document rollback
The Change Management Policy - SME requires:
A rollback plan must be documented for every high-risk change.
From section “Policy Implementation Requirements,” policy clause 6.4.2.
For the authentication patch, the rollback plan should include the previous library version, deployment artifact, database compatibility notes, identity provider configuration backup, feature flag state, session invalidation decision, monitoring checkpoint, rollback owner, and maximum tolerable outage.
Step 5: Approve with risk visibility
For an enterprise, require CAB, security, product owner, and service owner approval based on risk. For an SME, apply the General Manager approval requirement for major, high-impact, or cross-departmental changes.
Approval should answer four questions: what is the risk of deploying, what is the risk of not deploying, what compensating controls exist, and what monitoring will confirm success?
Step 6: Deploy, monitor, and review
Deploy through the approved pipeline. Capture CI/CD logs, approver identity, artifact version, deployment timestamp, change ticket, and production validation metrics. Monitor authentication errors, latency, failed logins, alert volume, session anomalies, and support tickets.
If the change causes a significant incident, the incident workflow must activate. NIS2 Article 23 requires staged significant incident reporting, including early warning within 24 hours, incident notification within 72 hours, intermediate updates where required, and a final report within one month after the 72-hour notification. DORA Articles 17 to 19 require ICT-related incident management, classification, escalation, major incident reporting, and communication where appropriate.
A post-implementation review should ask whether the patch worked, whether side effects occurred, whether logs were sufficient, whether rollback was needed, whether supplier dependencies behaved as expected, and whether the operating procedure should change.
The audit lens: how reviewers test change management
The Zenith Blueprint gives a practical sampling method in Controls in Action phase, Step 21:
Pick 2–3 recent system or configuration changes and check whether they were processed via your formal change management workflow.
It then asks:
✓ Were risks assessed?
✓ Were approvals documented?
✓ Was a rollback plan included?
Auditors will also validate that changes were implemented as planned, unexpected impacts were recorded, logs or version-control diffs were retained, and tools such as ServiceNow, Jira, Git, or CI/CD platforms support a Change Record Summary Log.
| Auditor lens | What they will likely ask | Evidence that helps |
|---|---|---|
| ISO/IEC 27001:2022 auditor | Is change management defined, implemented, risk-based, monitored, and improved? | Policy, procedure, change samples, risk ratings, approvals, tests, rollback plans, SoA linkage, internal audit findings |
| DORA examiner | Are ICT changes governed for critical or important functions, tested, documented, reversible, and monitored? | ICT asset mapping, function mapping, test evidence, rollback records, incident classification links, supplier dependency records |
| NIS2 reviewer | Do changes support cyber hygiene, secure maintenance, incident prevention, continuity, and management oversight? | Board-approved policy, high-risk approvals, continuity impact analysis, supplier change review, control effectiveness evidence |
| GDPR reviewer | Did the change affect personal data, access, minimisation, logging, retention, or breach risk? | DPIA or privacy note, data-flow update, test-data controls, access review, encryption and logging evidence |
| NIST CSF assessor | Does the organization govern, identify, protect, detect, respond, and recover around change risk? | Current and Target Profile actions, asset inventory, vulnerability treatment, monitoring checks, response playbooks |
| COBIT 2019 auditor | Are roles, approvals, segregation of duties, exceptions, metrics, and governance objectives operating effectively? | RACI, CAB records, emergency change exceptions, segregation evidence, KPIs, management reporting |
The lesson is consistent: auditors do not only want a policy. They want proof that the policy becomes behavior.
Common change management failure patterns
Secure change management failures are usually predictable. They appear when the process is too heavy for normal work, too vague for high-risk work, or disconnected from real engineering tools.
Common patterns include:
- Emergency changes that are never retrospectively reviewed
- Patches deployed as routine operations tasks with no risk approval
- Supplier changes accepted by email but never entered into the change log
- Testing performed but not retained as evidence
- Rollback plans that only say “restore previous version”
- CAB approvals without security impact analysis
- Development, test, and production environments sharing data, credentials, or admin access
- Configuration changes that do not update baseline records
- Cloud console changes performed outside infrastructure-as-code
- Monitoring rules changed without incident response notification
- Personal data used in test environments without masking or approval
- DORA-critical ICT dependencies missing from impact analysis
- NIS2 management oversight limited to annual policy approval
These are not just audit issues. They are warning signs of operational fragility.
Secure change management checklist for 2026
Use this checklist to test whether your process can support ISO/IEC 27001:2022, NIS2 cyber hygiene, DORA ICT risk, GDPR security, NIST CSF 2.0, and COBIT 2019 expectations.
| Question | Why it matters |
|---|---|
| Is every production change recorded in a controlled system or change log? | Without a record, accountability and evidence collapse. |
| Are changes classified by risk level before approval? | Risk rating drives testing, approval, rollback, and monitoring expectations. |
| Are affected assets, services, data, suppliers, and critical functions identified? | NIS2 and DORA require dependency-aware cybersecurity and ICT risk management. |
| Are high-risk changes approved by accountable management? | NIS2 and DORA emphasize governance and management responsibility. |
| Is testing performed in a separated non-production environment? | Testing directly in production creates avoidable confidentiality, integrity, and availability risk. |
| Are security, compatibility, performance, and monitoring checks documented? | DORA resilience and ISO audit expectations require more than functional testing. |
| Is rollback or recovery documented for high-risk changes? | Availability and resilience depend on pre-planned recovery decisions. |
| Are supplier-initiated changes captured and assessed? | DORA ICT third-party risk and NIS2 supply-chain security require supplier-change visibility. |
| Are emergency changes reviewed after implementation? | Emergency means expedited, not uncontrolled. |
| Are logs, version diffs, approvals, and deployment artifacts retained? | Auditors and incident responders need traceability. |
| Are lessons learned fed into procedures and risk treatment plans? | ISO/IEC 27001:2022 continual improvement depends on corrective action and management review. |
Make your next change defensible
If your next production release, cloud configuration update, emergency patch, supplier migration, or identity provider change were sampled tomorrow, could you show the full chain of evidence?
Start with three actions:
- Select three recent production changes and assess them using Zenith Blueprint, Controls in Action phase, Step 21.
- Map your workflow to ISO/IEC 27002:2022 controls 8.32, 8.9, 8.8, 8.25, 8.27, 8.29, 8.31, 5.21, and 5.37 using Zenith Controls.
- Adopt or tailor Clarysec’s Change Management Policy or Change Management Policy - SME so risk rating, approval, testing, rollback, supplier review, monitoring, and evidence retention become normal operating behavior.
Secure change management is where compliance, engineering, resilience, and trust meet. The organizations that can prove controlled change will be better positioned for ISO/IEC 27001:2022 audits, NIS2 cyber hygiene expectations, DORA ICT risk scrutiny, GDPR accountability, and customer assurance.
Download the Clarysec change management policies, explore Zenith Blueprint and Zenith Controls, or book a Clarysec assessment to turn change management from a Friday-afternoon risk into a repeatable operating system for resilience.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
