What is the primary purpose of change management in security operations, and what risks does it mitigate?

Change management in security operations is about applying a formal, controlled process for making changes to security controls and the systems they protect. The main purpose is to ensure changes are requested, reviewed, authorized, tested, implemented, and documented, with a rollback plan if something goes wrong. This keeps security controls stable and reliable, prevents introducing new vulnerabilities or misconfigurations, and reduces the risk of outages or service disruption. By enforcing approvals, testing, and traceability, change management allows safe improvements without destabilizing the environment. The other options either remove necessary approvals, focus on irrelevant aspects like licenses, or impose an overly restrictive stance that blocks beneficial changes.