This paper describes the consequences of work undertaken to identify and document how a Regulator should systematically review a change safety case. The work found that there were key elements necessary in a change safety case to demonstrate that the predicted behaviour of a changed system will meet the necessary safety criteria. The paper describes some of the challenges associated with establishing a systematic risk-based review process, the key elements that were found to be necessary and their relationships. The paper also discusses how the review process may be enhanced to ensure that the change safety case addresses cyber security. The guidance itself is due to be published in 2018.