The change log records every planned and executed change to IT systems, configurations, and infrastructure. Without this documentation, the most important question after a security incident goes unanswered: what changed recently?
ISO 27001 Control A.8.32 requires structured change management. Changes to information processing facilities and systems must follow a defined process — with risk assessment, approval, implementation, and post-implementation review.
What does it contain?
The CSV template covers the change process from request to closure:
- Change ID and title — unique identifier and clear description
- Category — standard change, normal change, emergency change
- Requester and date — who requested the change?
- Affected systems — link to the asset register
- Risk assessment — what impact does the change have on information security?
- Approver and approval date — who authorised the change?
- Implementation date and implementer — who carried it out, when?
- Rollback plan — how can the change be reversed?
- Outcome — successful, partially successful, rolled back
How to use it
Document before implementation. Every planned change is recorded in the log before it is carried out. The entry describes what is changing, why, which systems are affected, and what risk is involved. Implementation may only begin after formal approval.
Implementation and post-review. After implementation, verify whether the change achieved the desired result and no unexpected side effects occurred. The outcome is documented in the log. Failed changes are rolled back — the rollback plan from the request phase comes into play.
Correlation with incidents. During a security incident, the change log is one of the first sources reviewed. Is there a temporal correlation between a recent change and the incident? This connection requires complete documentation.
| ID | Titel | Typ | Kategorie | Antragsteller | Verantwortlich | Systeme | Risiko | Auswirkung | Rollback-Plan | Geplanter Start | Geplantes Ende | CAB-Datum | CAB-Entscheidung | Tatsächliches Ergebnis | Abschlussdatum |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CHG-2026-001 | Upgrade Veeam-Backup-Server auf v12.1 | Normal | Infrastruktur | IT-Betrieb | Markus Schulz | AST-008 | Mittel | Backup-Fenster um 2 h verlängert | Restore aus Snapshot | 2026-03-15 22:00 | 2026-03-15 04:00 | 2026-03-11 | Genehmigt | Erfolgreich | 2026-03-16 |
| CHG-2026-002 | FIDO2-Schlüssel für Admin-Konten ausrollen (Phase 1) | Normal | Sicherheit | ISB | Anna Weber | Alle Admin-Konten | Niedrig | Änderung des Admin-Anmeldeflusses | Richtlinie zurücksetzen + TOTP beibehalten | 2026-04-05 18:00 | 2026-04-05 20:00 | 2026-04-01 | Genehmigt | Erfolgreich | 2026-04-06 |
| CHG-2026-003 | Notfall-Patch FortiOS (CVE-2025-32756) | Notfall | Sicherheit | IT-Betrieb | Markus Schulz | AST-010 | Hoch | 5 min Ausfall beim Failover | Firmware zurückrollen | 2025-05-14 02:00 | 2025-05-14 02:30 | Nachgenehmigt 2025-05-14 | Genehmigt | Erfolgreich | 2025-05-14 |
| CHG-2026-004 | VPN Pre-Shared Key rotieren | Standard | Sicherheit | IT-Betrieb | IT-Betrieb | AST-011 | Niedrig | Keine (rollend) | N/A | 2026-04-01 20:00 | 2026-04-01 20:30 | Vorab genehmigt (Standard) | Genehmigt | Erfolgreich | 2026-04-01 |
| CHG-2026-005 | Neues VLAN für IoT-Geräte hinzufügen | Normal | Netzwerk | Facility | Markus Schulz | AST-010 | Niedrig | Keine | VLAN entfernen | 2026-03-20 19:00 | 2026-03-20 21:00 | 2026-03-18 | Genehmigt | Erfolgreich | 2026-03-20 |
| CHG-2026-006 | Fileserver auf neuen Storage migrieren | Normal | Infrastruktur | IT-Betrieb | Markus Schulz | AST-004 | Hoch | 4 h Ausfall | DNS auf alten Server zurücksetzen | 2026-05-10 22:00 | 2026-05-11 02:00 | 2026-05-06 | Genehmigt | Geplant | |
| CHG-2026-007 | S3-Public-Access-Block Account-weit aktivieren | Normal | Sicherheit | ISB | Anna Weber | AST-012 | Niedrig | Keine (Bucket bereits privat) | Einstellung zurücksetzen | 2026-03-18 16:00 | 2026-03-18 16:15 | 2026-03-18 | Genehmigt | Erfolgreich | 2026-03-18 |
| CHG-2026-008 | AUP v2.1 aktualisieren | Standard | Richtlinie | ISB | Anna Weber | Dokumentensystem | Niedrig | Keine | Auf v2.0 zurücksetzen | 2026-02-01 09:00 | 2026-02-01 09:30 | Vorab genehmigt (Standard) | Genehmigt | Erfolgreich | 2026-02-01 |
| CHG-2026-009 | Neuen EDR-Agenten auf Flotte ausrollen | Normal | Sicherheit | IT-Betrieb | Markus Schulz | AST-006 | Mittel | Möglicher Performance-Einfluss | Deinstallation via MDM | 2026-04-18 18:00 | 2026-04-18 22:00 | 2026-04-15 | Genehmigt | In Bearbeitung | |
| CHG-2026-010 | Quartalspatches Q2 einspielen | Standard | Sicherheit | IT-Betrieb | IT-Betrieb | AST-004 AST-005 AST-006 | Mittel | Neustart erforderlich | Patch via WSUS zurückrollen | 2026-04-10 22:00 | 2026-04-11 04:00 | Vorab genehmigt (Standard) | Genehmigt | Erfolgreich | 2026-04-11 |
| ID | Title | Type | Category | Requester | Owner | Systems | Risk | Impact | Rollback Plan | Planned Start | Planned End | CAB Date | CAB Decision | Actual Result | Closure Date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CHG-2026-001 | Upgrade Veeam backup server to v12.1 | Normal | Infrastructure | IT Operations | Markus Schulz | AST-008 | Medium | Backup window extended by 2h | Restore from snapshot | 2026-03-15 22:00 | 2026-03-15 04:00 | 2026-03-11 | Approved | Success | 2026-03-16 |
| CHG-2026-002 | Deploy FIDO2 keys to admin accounts (phase 1) | Normal | Security | ISO | Anna Weber | All admin accounts | Low | Admin login flow change | Revert policy + keep TOTP | 2026-04-05 18:00 | 2026-04-05 20:00 | 2026-04-01 | Approved | Success | 2026-04-06 |
| CHG-2026-003 | Emergency FortiOS patch (CVE-2025-32756) | Emergency | Security | IT Operations | Markus Schulz | AST-010 | High | 5 min outage during failover | Roll back firmware | 2025-05-14 02:00 | 2025-05-14 02:30 | Post-approved 2025-05-14 | Approved | Success | 2025-05-14 |
| CHG-2026-004 | Rotate VPN pre-shared key | Standard | Security | IT Operations | IT Operations | AST-011 | Low | None (rolling) | N/A | 2026-04-01 20:00 | 2026-04-01 20:30 | Pre-approved (standard) | Approved | Success | 2026-04-01 |
| CHG-2026-005 | Add new VLAN for IoT devices | Normal | Network | Facilities | Markus Schulz | AST-010 | Low | None | Remove VLAN | 2026-03-20 19:00 | 2026-03-20 21:00 | 2026-03-18 | Approved | Success | 2026-03-20 |
| CHG-2026-006 | Migrate file server to new storage | Normal | Infrastructure | IT Operations | Markus Schulz | AST-004 | High | 4h downtime | Revert DNS to old server | 2026-05-10 22:00 | 2026-05-11 02:00 | 2026-05-06 | Approved | Planned | |
| CHG-2026-007 | Enable S3 public-access block account-wide | Normal | Security | ISO | Anna Weber | AST-012 | Low | None (bucket already private) | Revert setting | 2026-03-18 16:00 | 2026-03-18 16:15 | 2026-03-18 | Approved | Success | 2026-03-18 |
| CHG-2026-008 | Update Acceptable Use Policy v2.1 | Standard | Policy | ISO | Anna Weber | Document system | Low | None | Revert to v2.0 | 2026-02-01 09:00 | 2026-02-01 09:30 | Pre-approved (standard) | Approved | Success | 2026-02-01 |
| CHG-2026-009 | Deploy new EDR agent to fleet | Normal | Security | IT Operations | Markus Schulz | AST-006 | Medium | Possible performance hit | Uninstall via MDM | 2026-04-18 18:00 | 2026-04-18 22:00 | 2026-04-15 | Approved | In progress | |
| CHG-2026-010 | Install quarterly patches Q2 | Standard | Security | IT Operations | IT Operations | AST-004 AST-005 AST-006 | Medium | Reboot required | Rollback patch via WSUS | 2026-04-10 22:00 | 2026-04-11 04:00 | Pre-approved (standard) | Approved | Success | 2026-04-11 |
Sources
- ISO/IEC 27001:2022, A.8.32 — change management
- ISO/IEC 27002:2022, Section 8.32 — implementation guidance for change management
- ITIL 4, Change Enablement — established practice for change processes