Change management

How the 7 R's tool can make your management easier

*By Juliana Nunes

In IT service management, the change management process brings a set of procedures and actions to identify, implement and monitor the necessary changes to be performed in organizations' environments. Unlike other managements, in addition to technology, it is necessary that both the process and the people walk together at all stages, aligning IT activities with business objectives.

The standardization of methods to manage changes is intended to make processes safer from the moment of the request, where they are evaluated, approved and prioritized, ensuring that they are appropriate for the organization's business, as well as in the implementation, developing the changes according to all security standards, testing and monitoring that they are performing correctly.


To achieve effective change management practices were created to assist in the development of processes, the 7 R's work as essential questions making them tools to ensure that the process is being followed correctly.

1 - Who REQUIRED the change?

First, the greatest importance is to know who is requesting the change, to understand the responsibility of the person in the face of the environment to be changed. In addition to bringing traceability to the request, it is necessary to have the appropriate approvals to continue the process.

2 - What is the REASON for change?

The reason for the change must be clear in the request, as well as the areas and systems to be impacted. Understanding why it is possible to analyze whether the change is plausible, classify its prioritization and assign it to the responsible teams.

3 – What is the RETURN expected from the change?

In addition to the reason, it is important to define what returns are expected after executing the change, whether it is an ease in the process, financial return, risk reduction, among others.

4 – What are the SCRATCHS involved in change?

It is necessary to map all risks that may present non-compliance during and after the execution of the change, these risks must be monitored and the impacts must be defined in the process. If necessary, an action plan must be created to eliminate, mitigate, transfer or accept the risk.

5 - Which RESOURCES are necessary to enable change?

Before initiating a change process, the resources needed to enable its completion must be defined and available, whether people, technology or process.

6 – Who are the RESPONSIBLE for building, testing, and implementing the change?

Along with tasks, communications, approvals and collaborations, those responsible must also be defined in advance, making it clear what must be done, by whom, when and in how long. It is worth mentioning that testing and approval by the requestor prior to deployment is of paramount importance for the effectiveness of the change.

7 – What is the RELATIONSHIP between this change and the others?

Finally, having a base of the changes already implemented helps to map out if there is a conflict with new changes. With the request history it is also possible to verify the reason why the change was approved or denied, avoiding rework.


Regardless of the tool used to manage the changes, it is important for the organization to be aware that this is one of the fundamental controls for reducing risks and for IT processes to operate in compliance.

Change management ensures that the process is effective, reducing costs and optimizing results by monitoring activities, reducing the queue of problem requests and process failures, thereby reducing emergency actions.

Understanding the importance and how it is possible to use a tool to facilitate a complex process is half a step towards increasing the maturity of your business.

— Juliana Nunes is a GRC and Information Security Senior Consultant | [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!