Xoxoday maintains a fully documented change management process that governs all critical infrastructure modifications through a formal Change Advisory Board (CAB) chaired by the CTO, ensuring every change is reviewed, approved, tracked, and aligned with security and compliance requirements.
Scope and Change Classification
Xoxoday’s change management process applies to all critical infrastructure changes — including software updates, OS patches, server and network modifications, user access rights, and third-party software integrations. Every change is classified as either a Standard/Normal change (planned, with adequate lead time) or an Emergency change (urgent and time-sensitive, typically triggered for risk mitigation). This classification ensures the appropriate level of scrutiny is applied without slowing down critical responses. Emergency changes can be approved via email and documented retrospectively, while normal changes proceed through a full structured review cycle.Change Request and Approval
Any change to production systems begins with a formal Request for Change (RFC). The RFC must include detailed implementation procedures, a rollback plan, and a clear business justification — without these, the request does not advance. Normal changes are reviewed and approved by the Change Advisory Board (CAB), chaired by the CTO with cross-functional representation from IT, security, and operations. Production changes additionally require sign-off from both the VP – IT and the CTO, ensuring executive accountability for high-impact modifications.Scheduling and Stakeholder Communication
Approved changes are scheduled during low-usage windows to minimize operational disruption. Stakeholders receive advance notice — typically at least 15 days before any production change goes live. This lead time allows dependent teams and integrated systems — such as Microsoft Teams notification pipelines or HR platforms like Darwinbox and SAP SuccessFactors — to prepare for any downstream effects.Tracking and Audit Trail
All changes are logged in a centralized tracker or ticketing system. Each entry captures approval status, implementation dates, rollback plans, and impact assessments. This creates a complete, auditable trail that supports Xoxoday’s alignment with frameworks including ISO 27001 and SOC 2 Type II, both of which require documented evidence of controlled change processes.Compliance Reviews and Security Posture
Every change is evaluated for technical feasibility, security policy alignment, and cost-benefit impact before implementation. Xoxoday’s policy is unambiguous: no change may compromise the existing security posture. On an annual basis, all changes are reviewed for compliance adherence and process improvement opportunities, ensuring the change management function itself evolves alongside Xoxoday’s infrastructure and customer requirements.Third-Party and Infrastructure Changes
Third-party software integrations follow the same change control protocol as internal infrastructure updates. Any update involving external systems must undergo a full impact analysis, meet defined acceptance criteria, and receive sign-off from the VP – IT and the CTO before deployment to production. Learn more: Xoxoday Help Centre — Process, procedure and strategyDoes Xoxoday have an incident management process?
Learn how Xoxoday detects, escalates, and resolves security and operational incidents across its infrastructure.
How does Xoxoday manage third-party vendor risk?
Understand Xoxoday’s due diligence requirements and security controls applied to all third-party integrations.