Skip to main content

CompTIA A+

Change Management

20 min read

In IT support, change management is the set of controls used to plan, review, and record changes to systems and services so work doesn't break production. It matters because unmanaged changes can cause downtime, open security gaps, and reduce user trust. This post aligns to "CompTIA A+ Core 2 (220-1202), Domain 4.0, Objective 4.2 (Change management)." and frames the objective as practical habits you can apply on the job.

Objective 4.2 centers on what a good change request includes, such as the purpose and scope, dates and times (including maintenance windows and change freezes), and which systems will be affected. It also expects you to know change types (standard, normal, emergency), how approvals work through a change board, and why risk analysis should match the risk level.

Finally, you'll see how implementation steps, peer review, and end-user acceptance fit together so a change can be completed, verified, and documented. By the end, you'll be able to identify the right change type, complete a request form, and explain the approval and acceptance path with confidence.

Change Request Forms

For CompTIA A+ Core 2 (220-1202), Domain 4.0, Objective 4.2, the change request form is the written control that turns a risky idea into a planned, reviewable action. A strong form prevents the most common failure in change management: people assuming details that no one agreed to. Treat the form like a flight plan, it should state where you are going, what route you will take, and what you will do if the weather turns.

Good requests are also easy to review. If a change board cannot tell what will change, who it affects, and when it happens, approval becomes guesswork. As a result, teams either block useful work or approve risk they did not see.

Purpose and scope, write what you are changing and what you are not

Purpose explains why the change exists and what outcome you expect. Keep it short and measurable. For example, "Reduce failed logins by fixing SSO token renewal" is clearer than "Improve authentication."

Scope defines where the change applies and, just as important, where it stops. Scope is your guardrail. It protects you from accidental extras like "while we are in there" updates that add risk and time.

A simple way to write scope is to name four boundaries: systems, people, places, and time.

Mini example (clear scope boundaries):

  • In scope: Microsoft Entra ID SSO configuration for AppX, token lifetime policy, and the AppX enterprise application settings.
  • Out of scope: Any password policy changes, MFA policy changes, and changes to other SaaS apps.
  • Users affected: All AppX users (about 420 staff), excluding contractors who use a separate tenant.
  • Locations: Corporate network and remote users (VPN not required for AppX).
  • Time range: Change executed Saturday 01:00 to 02:00 UTC, monitoring through 06:00 UTC.

A good scope statement makes it hard to "accidentally" expand the change after approval.

Before you submit, capture enough scope detail that a reviewer can spot gaps without chasing you. This short list keeps the writer from overreaching:

  • Systems and components included (apps, servers, network devices, cloud services).
  • Interfaces and dependencies (APIs, SSO, DNS, certificates, firewalls).
  • Users and teams affected (counts if known, plus critical roles).
  • Locations and access paths (sites, remote access, VPN, mobile).
  • What is explicitly out of scope (name the tempting add-ons).
  • Success criteria (what "working" means, plus how you will verify).
  • Impact summary (expected downtime, performance hit, feature change).

Pick the right change type: standard, normal, or emergency

Choosing the change type is not paperwork, it sets the approval path and the control level. Under Objective 4.2, you should recognize the three common types and when each fits.

Here is the practical meaning of each:

Change typeSimple definitionExample
Standard changePre-approved, repeatable, low-risk work with a proven procedure.Monthly Windows endpoint patching using an approved baseline and test group.
Normal changePlanned change that needs full review because risk, impact, or complexity is higher.Migrating a file share to a new NAS, including permission mapping and user cutover.
Emergency changeUrgent fix to restore service or close a serious exposure, with speed prioritized and added controls for higher risk.Applying a critical firewall rule to block active exploitation of a public service.

Standard changes work because the risk is already understood and controls are built into the template. Normal changes need fuller review because they often touch multiple systems, users, or dependencies. Emergency changes accept higher uncertainty, so you compensate with strict documentation, fast approvals, and strong after-the-fact review.

Misclassification usually happens when someone labels a change standard because it feels routine, even though the context is different (new system, new vendor, peak business period, or an untested step). That causes trouble because reviewers apply the wrong level of scrutiny, and the team may skip testing, communications, or rollback planning.

Schedule the work, maintenance windows and change freezes

Every change request needs a date and time that others can act on. "After hours" is not a schedule. Set a start time, an expected end time, and a monitoring period. When possible, align work to a defined maintenance window, which is a pre-set time when the business accepts planned disruption because user impact is lower and support coverage is ready.

A change freeze is a period when the organization limits non-essential changes to protect stability. Freezes often happen during holidays, peak sales events, end-of-quarter finance close, or major launches. During a freeze, only standard changes and approved emergencies usually proceed, and even then, communication tends to be tighter.

Scheduling also fails when teams ignore time zones. Write the time in a single reference zone (often UTC) and include the local time for key sites. In addition, time user communication so people can plan. If the change affects logins, tell users before the workday, not during it.

Back-out timing needs the same discipline. Define a clear point where you stop trying to fix forward and execute the rollback. That decision point should occur early enough that you still have staff, approvals, and vendor support available.

Bad schedule vs good schedule:

  • Bad: "Friday night, deploy update, rollback if needed."
  • Good: "Start 23:00 ET Friday (04:00 UTC Sat), end 23:30 ET, validate 23:30 to 00:00 ET, rollback decision by 23:40 ET, business comms sent by 10:00 ET Thursday, service desk briefed 16:00 ET Thursday."

In short, the schedule section should answer three review questions: When will users feel it, who will be available to respond, and how quickly can you safely undo the change if results differ from plan?

Measure Impact and Risk

For CompTIA A+ Core 2 (220-1202), Domain 4.0, Objective 4.2, you must show that you can describe affected systems/impact and complete a simple risk analysis before any production change. This step prevents "quiet" outages caused by forgotten dependencies, unclear blast radius, or weak recovery planning. Treat production like a busy highway, even a small lane change needs a mirror check, a signal, and a safe exit.

List affected systems and the expected impact in plain words

Start by listing what you will touch and what might feel the ripple. Name systems so another tech can find them fast, even at 2 a.m. Use identifiers your team actually uses, such as a hostname, application name, VLAN, site, cloud resource name, or circuit label.

Good ways to name systems (use more than one when it helps):

  • Server/host: FS-01.corp.example, esx07, db-prod-2
  • Application/service: "Payroll web app", "SSO (Entra ID)", "VoIP call manager"
  • Network segment: "VLAN 30 (Finance)", "Guest Wi-Fi SSID", "DMZ subnet 10.20.30.0/24"
  • Site/location: "HQ 3rd floor", "Branch-SEA", "Data center rack R12"
  • Cloud/SaaS object: "AWS security group sg-0123…", "M365 tenant", "Azure vNet-prod"

Next, describe impact in plain words. Avoid vague terms like "might be affected." State what users will notice and what data could be at risk.

Common impact phrases that reviewers understand:

  • Downtime: "Users can't log in for up to 10 minutes."
  • Degraded performance: "App may run slower for 30 minutes during index rebuild."
  • Feature loss: "Printing from macOS may fail until the new driver deploys."
  • Data risk: "Misconfig could expose files to a wider group."
  • Security risk: "Wrong rule could open inbound access from the internet."

Also, list dependencies people often forget. These services can break "unrelated" work:

  • DNS (name resolution, split-DNS, forwarders)
  • DHCP (IP assignment, options like gateway and DNS servers)
  • Identity (AD, Entra ID, MFA, RADIUS, SSO)
  • Certificates (TLS, intermediates, expiration, trust chain)
  • Storage (SAN/NAS, iSCSI, SMB permissions, capacity)
  • Internet edge (ISP, firewall, proxy, NAT, VPN)

A copy-ready template sentence:

"Change affects SYSTEM/APP at SITE/VLAN; expected user impact is DOWNTIME/PERF, data risk is LOW/MED/HIGH because REASON; key dependencies are DNS/DHCP/IDENTITY/CERTS/STORAGE/INTERNET."

If you can't explain impact in two sentences, the change is not ready for approval.

Do a basic risk analysis and set a risk level

Risk does not mean "something bad will happen." Risk means the chance of a problem multiplied by how bad it would be.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account