In this ultimate how to audit guide to ISO 27001 Annex A 8.32 Change Management, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Provision a Formalised Change Management Policy
- 2. Audit the Logical Separation of Environments
- 3. Inspect IAM Roles for Segregation of Duties
- 4. Evaluate Technical Impact Assessments
- 5. Validate Formal Authorisation Records
- 6. Verify Technical Testing and UAT Results
- 7. Audit Fallback and Rollback Procedures
- 8. Inspect the Technical Asset Register Update Process
- 9. Formalise the Emergency Change Control Workflow
- 10. Audit Post-Implementation Reviews for Security Incidents
- Annex A 8.32 Audit Checklist and Evidence Guide
- Common SaaS and GRC Platform Audit Failures
Auditing ISO 27001 Annex A 8.32 is the verification process that ensures changes to information processing facilities and information systems are controlled, managed, and approved to maintain security. It requires auditors to confirm that a structured change management lifecycle is applied, from request to post-implementation review, ensuring production stability and data integrity are not compromised by unauthorised or untested modifications.
Auditing Annex A 8.32 requires a technical deep dive into the organisation’s change control workflows. An auditor must verify that changes are not merely documented but are risk-assessed, tested, and authorised by personnel with the appropriate technical competence. Use the following steps to evaluate the effectiveness of the change management process within the ISMS.
1. Provision a Formalised Change Management Policy
Verify the existence of a documented policy that defines the scope, roles, and responsibilities for change management. This ensures that all stakeholders understand the mandatory requirements for modifying information systems.
- Inspect the policy for clear definitions of “standard,” “normal,” and “emergency” changes.
- Confirm that the policy has been approved by senior management and communicated to the technical teams.
- Check that the policy includes requirements for impact assessments and security reviews.
2. Audit the Logical Separation of Environments
Evaluate the technical separation between development, testing, and production environments. Strict isolation prevents untested code or configuration errors from impacting live services and protects production data from unauthorised access.
- Inspect network diagrams or cloud VPC configurations to confirm environment isolation.
- Verify that distinct IAM roles are used for each environment to prevent “privilege creep.”
- Confirm that production data is not used in test environments without formal anonymisation or masking.
3. Inspect IAM Roles for Segregation of Duties
Assess the assignment of Identity and Access Management roles to ensure that the individual who develops a change is not the same person who authorises its deployment to production. This prevents accidental or malicious unauthorised changes.
- Review the IAM role matrix for Segregation of Duties (SoD) conflicts.
- Check the CI/CD pipeline configurations to ensure that “Push to Production” requires a second-person approval.
- Verify that administrative access to production is restricted to a limited number of authorised personnel.
