In this ultimate how to implement guide to ISO 27001 Clause 6.3 Planning Of Changes, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
The 2022 update to the ISO 27001 standard introduced a pivotal new requirement: Clause 6.3, Planning of Changes. While new to the text, this clause formalises what has long been considered a best practice in information security. It ensures that modifications to your Information Security Management System (ISMS) are deliberate, controlled, and safe.
This guide provides a step-by-step process for implementing Clause 6.3 effectively. Below, you will find a breakdown of the requirements and a practical 10-point checklist to ensure compliance and strengthen your ISMS.
What is ISO 27001 Clause 6.3?
Before implementing changes, it is vital to understand the core requirement. Clause 6.3 mandates that any changes to your ISMS must be carried out in a planned manner to prevent chaotic or ad-hoc modifications.
The ISO 27001:2022 standard defines the clause as follows:
“When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”
In plain English: You must demonstrate foresight. Whether you are updating a policy, introducing a new security control, or adjusting a procedure, you must evidence that the change was planned, approved, and managed. This creates a clear audit trail and allows you to revert changes if they introduce unexpected risks.
10-Step Implementation Checklist for Clause 6.3
To comply with Clause 6.3 and mature your organisation’s change management capabilities, follow this 10-step implementation checklist.
1. Establish a Change Management Process
The Goal: Define a documented process for managing all changes to the ISMS, covering planning, approval, implementation, and review.
- Challenge: Lack of consistency or personnel resisting formal procedures.
- Solution: Develop a concise change management policy. Train personnel on the benefits of formal processes, such as improved operational stability and reduced risk.
2. Assess the Impact of Changes
The Goal: Evaluate the potential risks and opportunities of a change before implementation.
- Challenge: Overlooking downstream impacts on complex systems.
- Solution: Involve interested parties (IT, legal, department heads) in the assessment. Use established risk assessment methodologies to evaluate both positive and negative consequences.
3. Plan Changes in a Controlled Manner
The Goal: Detail resources, timelines, testing procedures, and communication strategies.
- Challenge: Poor planning leading to delays or service disruptions.
- Solution: Create a detailed implementation plan for every change. Assign clear responsibilities and deadlines, and plan for testing in non-production environments.
