Gartner Research

Change Management for the Enterprise

Published: 05 January 2005

ID: G00203007

Analyst(s): Fred Cohen


Burton Group principal analyst Fred Cohen discusses change management and the technologies and management systems required in order for effective and appropriate change management to be applied at the enterprise level.

Table Of Contents



  • Risk Levels Lead to Surety Levels
  • Surety Level Is a Key Driver
  • Key Tradeoffs
  • Integrating Change Management with the Rest of the Security Process
  • Significant Changes May Require Risk Management Involvement
  • Approaches to Change Management and When to Use Them
  • Tools and Techniques
  • Where Are Change Management Technologies Going?
  • Recommendations
    • Meet or Exceed Risks with Change Management Surety
    • There Is No One Best Approach
    • Choose Surety over Timeliness
    • Control Low-Surety Components of Medium-Surety Systems
    • Consolidate Change Management Approaches, Not Systems
    • Provide Coverage at Multiple Levels
    • Different Metrics Apply at Different Risk Levels

The Details

  • Change Management Requirements
    • Time, Surety, and Cost Trade Off
    • Reversibility
    • Auditability
    • Source and Transport Integrity
    • Policy and Regulatory Requirements
    • Testing Requirements
    • Knowledge Requirements
    • Security Objectives Must Be Maintained During Change
    • Only Authorized People Should Be Able to Make Changes
    • Change Management Workflows Assure Process Integrity
    • Significant Changes May Require Risk Management Involvement
    • Interorganizational Coordination Requirements
    • Change Sequencing Issues Should Be Addressed
    • Change Control Must Be Adequate for System Assurance Requirements
    • Residual Data Must Be Controlled
    • Emergency Overrides Are Sometimes Required
  • Approaches to Change Management
    • Systemic Change Control and Accreditation
    • Sound Change Control
    • Managed Infrastructures
    • Managed Configurations
    • Common Operating Environments
    • Uncontrolled Environments
  • Tools and Techniques
    • Management Control Mechanisms
    • Infrastructure Control Mechanisms
    • Hardware Control Mechanisms
    • OS Controls
    • Configuration Control Level
    • Application Control Level
    • Input, Output, Storage, Transmission, and Other Data-Control Level
    • Ubiquitous Mechanisms and Principles
    • Lifecycle Issues
  • Where Is the Change Management Technology Going?
    • Configuration and Patch Management Systems
    • Time Is Too Short for Patching Strategies to Work
    • Interorganizational Coordination Is Becoming Far More Complex
    • Regulatory Drivers Are Making Changes More Complex
    • Cost Drivers Are Making Emergency Changes Very Hard to Swallow
  • Tradeoffs for Change Management
    • Management Tradeoffs
    • Vendor Tradeoffs
    • User Tradeoffs
    • Other Tradeoffs


©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.