In this ultimate how to audit guide to ISO 27001 Annex A 8.32 Change Management, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.32 Change Management Audit Checklist
- 1. Change Management Policy Formalisation Verified
- 2. Technical Change Log Completeness Confirmed
- 3. Peer Review and Technical Authorisation Validated
- 4. Impact Assessment and Risk Analysis Confirmed
- 5. Rollback and Back-out Plan Integrity Verified
- 6. UAT and Security Testing Evidence Validated
- 7. Operational Documentation Alignment Confirmed
- 8. Emergency Change Procedure Enforcement Verified
- 9. Access Control Segregation During Changes Validated
- 10. Post-Implementation Review (PIR) Effectiveness Recorded
ISO 27001 Annex A 8.32 Change Management Audit Checklist
Auditing ISO 27001 Annex A 8.32 Change Management is the technical verification of formal processes governing modifications to information systems. The Primary Implementation Requirement is the enforcement of gated approval workflows and risk-based impact assessments, providing the Business Benefit of system stability and prevention of unauthorized production outages.
This technical verification tool is designed for lead auditors to establish the integrity of the operational environment through controlled modifications. Use this checklist to validate compliance with ISO 27001 Annex A 8.32.
1. Change Management Policy Formalisation Verified
Verification Criteria: A documented policy defines the roles, responsibilities, and mandatory steps for identifying, logging, and reviewing changes to information processing facilities.
Required Evidence: Approved Change Management Policy or Standard Operating Procedure (SOP) with defined change categories (Standard, Normal, Emergency).
Pass/Fail Test: If the organisation cannot produce a formal document specifying the mandatory workflow for technical changes, mark as Non-Compliant.
2. Technical Change Log Completeness Confirmed
Verification Criteria: A centralised register or ITSM tool contains a comprehensive history of all requested, rejected, and implemented changes.
Required Evidence: Change log exports from tools like Jira, ServiceNow, or Azure DevOps showing unique IDs and timestamps.
Pass/Fail Test: If significant infrastructure modifications (e.g. firewall rule updates) are missing from the central change register, mark as Non-Compliant.
3. Peer Review and Technical Authorisation Validated
Verification Criteria: Technical changes require review and authorisation by an independent party (not the requester) before being scheduled for production.
Required Evidence: Change Request (CR) records showing digital sign-off from a technical lead or the Change Advisory Board (CAB).
Pass/Fail Test: If a developer or system administrator can approve and implement their own production changes without a second-party sign-off, mark as Non-Compliant.
