7-state change workflow with AI-assisted risk scoring, approval gates, and policy compliance checks.
The challenge
Change requests live in spreadsheets or Jira tickets. Risk assessments are manual guesswork. Nobody checks whether a change affects compliance. Rollback plans exist on paper but are never tested.
How Fig helps
Proposed, Queued, Assessed, Accepted, Implementing, Verified, Completed. Every change follows a governed path with approval gates at each stage.
AI copilot assesses change risk, generates test plans, and creates rollback procedures. Risk scores factor in affected assets, policies, and compliance obligations.
Changes blocked automatically if they violate policy requirements. DPIA review triggered when personal data is affected. Deployment approval requires multi-approver sign-off.
Every change records who requested it, who approved it, what was affected, and whether it was rolled back. Impact assessment links to affected assets and services.
Fig enforces a 7-state change lifecycle with policy gates, CAB approval workflows, AI-assisted risk assessment, DPIA integration, and automatic reconciliation with CI/CD pipelines and ITSM systems.
Audit-ready workflow
Change Management should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.
Lifecycle
The Protect phase is where this capability sits in the wider Fig operating model. Change requests live in spreadsheets or Jira tickets. Risk assessments are manual guesswork. Nobody checks whether a change affects compliance. Rollback plans exist on paper but are never tested. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.
Evidence captured
For change management, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.
Implementation checks
Useful references
The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.
Built for you
Standardised change management across all client environments. Portfolio-wide change calendars and approval workflows replace ad-hoc processes.
Learn moreChange governance integrated with compliance obligations. Every infrastructure change checks against your policies before deployment.
Learn moreComplete change history with approval chains, risk assessments, and rollback evidence for ISO 27001 A.12 and SOC 2 CC8.1 controls.
Learn moreProtect
Common questions
For most organisations, yes. Fig provides the full change lifecycle with risk scoring, approval gates, and compliance integration. Organisations with complex ITIL processes may use both, with Fig handling the compliance governance layer.
The AI copilot analyses the change scope, affected assets, relevant policies, and historical change data to generate a risk score, recommended test plan, and rollback procedure. All AI outputs are reviewed by human approvers before execution.
Yes. Standard, emergency, and pre-approved change types each have configurable approval chains. Emergency changes can bypass normal gates but require retrospective review within a defined timeframe.
Directly. A change that affects a controlled system triggers a control re-evaluation. If the change creates a compliance gap, the Control Evaluation Engine flags it immediately rather than waiting for the next audit.
Yes. Changes flagged as affecting personal data processing automatically trigger a Data Protection Impact Assessment within the change workflow, ensuring Privacy by Design compliance.
Next step
Book a walkthrough tailored to your frameworks and tooling.
We only load non-essential analytics and advertising tags after explicit consent. You can review our cookie register in the cookie policy section and update your choice at any time via “Cookie settings” in the footer.