Recommendation: 

Changes to operational systems should only be made when there is a valid reason to do so, such as an increase in the risk to the system. Updating systems with the latest versions of operating systems or applications is not always in the best interest of an organization, as this could introduce more vulnerabilities and instability than the current version. There may also be a need for additional training, license costs, support, maintenance and administration overhead, and new hardware especially during migration.

Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes to equipment, software or procedures. When changes are made, an audit log containing all relevant information should be retained. In particular, the following items should be considered:

• Identification and recording of significant changes
• Planning and testing of changes
• Assessment of the potential impacts, including security impacts, of such changes
• Formal approval procedure for proposed changes
• Communication of change details to all relevant persons
• Fallback procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
  

• http://www.itil-itsm-world.com/ (The ITIL and ITSM directory)
• http://www.itlibrary.org/ (The ITIL Open Guide)
• http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspx (Microsoft Operations Framework)
• http://en.wikipedia.org/wiki/Configuration_management
  (Configuration management definitions, software links and other useful links)
• http://lxer.com/module/newswire/view/79689/index.html
  (Zenoss Core v1.1 release notes – includes automated change tracking)
  

R32, R33

T18, T19,