In this ultimate how to audit guide to ISO 27001 Clause 6.3 Planning Of Changes, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Audit the Change Management Framework
- 2. Evaluate ISMS Integrity Assessments
- 3. Provision Resource Availability Evidence
- 4. Formalise the Reallocation of Responsibilities
- 5. Audit Communication of Planned Changes
- 6. Validate Management Sign-off for ISMS Modifications
- 7. Inspect Post-Implementation Reviews
- 8. Audit Technical Asset Tagging and Inventory Updates
- 9. Review Legal and Regulatory Alignment
- 10. Audit Training and Competence Records
- ISO 27001 Clause 6.3 Audit Steps and Evidence
- Common SaaS and GRC Platform Audit Failures
Auditing ISO 27001 Clause 6.3 is a formal governance verification process that evaluates how organisational changes impact the management system. This audit satisfies the Primary Implementation Requirement of structured change planning, providing the Business Benefit of maintaining continuous security integrity and operational resilience during transitions.
Auditing Clause 6.3 requires a focus on the “Planning of Changes” within the ISMS. An auditor must verify that modifications to the system are not ad-hoc but follow a structured methodology that considers the purpose of the change and potential impacts on information security. This involves examining the intersection of change management, resource availability, and the reassignment of authorities.
1. Audit the Change Management Framework
Verify that the organisation has a formalised process for planning changes to the ISMS. This ensures that any modification to policies, scope, or controls is documented and reviewed before implementation.
- Inspect the ISMS Change Management Policy for specific planning requirements.
- Confirm that the “Purpose of Change” is documented for at least three recent modifications.
- Verify that changes are logged in a centralised register rather than in siloed department notes.
2. Evaluate ISMS Integrity Assessments
Assess how the organisation ensures the integrity of the ISMS is maintained during a change. This step prevents security gaps from appearing when shifting from one state to another, such as during a cloud migration or office relocation.
- Check for impact assessments that specifically mention “ISMS Integrity”.
- Verify that a rollback or contingency plan is defined for major system changes.
- Audit the link between change logs and the Risk Register to ensure new risks are identified.
3. Provision Resource Availability Evidence
Examine evidence that the organisation considers the availability of resources before committing to a change. A change without adequate funding, staff, or tools is a high-risk activity that can lead to control failure.
- Inspect budget approvals or resource allocation emails for significant project changes.
- Verify that the “Change Request” form includes a field for resource verification.
- Check that technical staff availability was considered in the project timeline.
