Which of the following statements is true regarding change management?

Change management is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state while minimizing risk and disruption.

Definition of Change Management:

Change management ensures that all modifications to IT systems, processes, and applications are controlled and documented.

As per the IIA GTAG on Change Management, an effective change management process should be repeatable, defined, and predictable to reduce errors and system failures.

Why Change Management Must Be Structured?

Uncontrolled changes increase risks such as security vulnerabilities, data loss, and system downtime.

Best practices (e.g., ITIL, COBIT) require organizations to follow a consistent change management process to protect the production environment.

A structured approach includes:

Documenting change requests

Testing in non-production environments

Gaining approvals before deployment

Why Not Other Options?

A. The degree of risk associated with a proposed change determines whether the change request requires authorization:

All changes should require authorization, not just high-risk ones.

B. Program changes generally are developed and tested in the production environment:

Changes should never be tested in production due to risk exposure. Best practice is to test in a development or staging environment first.

C. Changes are only required by software programs:

Change management applies broadly to IT infrastructure, business processes, security protocols, and governance frameworks, not just software.

IIA GTAG – Change Management Controls

COBIT 2019 – Change Management Best Practices

ITIL Change Management Framework

IIA Standard 2120 – Risk Management

Step-by-Step Justification:IIA References:Thus, the correct and verified answer is D. To protect the production environment, changes must be managed in a repeatable, defined, and predictable manner.