A CAB (Change Advisory Board) is a board that reviews, evaluates, and approves or rejects IT change requests. It ensures that changes to IT systems are carried out in a structured, risk-assessed manner.
ISO 27001 Annex A control A.8.32 (Change Management) requires a controlled change process. The CAB is the organizational implementation of this requirement. Typical members include representatives from IT operations, information security, affected business units, and potentially management. The CAB assesses risk, impact, rollback planning, and timing for each change. For urgent changes (emergency changes), a shortened process with retrospective CAB review is common. The process is closely linked to configuration management.