ISO 27001 Annex A 8.32 Audit Checklist: 10 Steps to Compliance

In the world of information security, change management is the living backbone of credible, auditable compliance. Far from being a bureaucratic hurdle, a robust change management process is your primary defence against the very chaos it is designed to control. According to Gartner, nearly 70% of service outages originate from uncontrolled or undocumented changes—a primary reason they are also a leading cause of failed audits.

These are not cataclysmic events but the everyday system tweaks, software updates, and configuration changes that, when left unmanaged, create the cracks through which security incidents, service disruptions, and failed audits enter. This guide provides a practical, 10-point checklist to help you build a change management process that is not just compliant with ISO 27001:2022 Annex A 8.32, but is also secure, resilient, and audit-proof.

The Ultimate Change Management Audit Checklist
Frequently Asked Questions (FAQ)
Conclusion

The Ultimate Change Management Audit Checklist

The following ten points provide a step-by-step process for implementing the requirements of ISO 27001 Annex A 8.32. Adhering to this checklist will help you build a more resilient and secure operational environment where change strengthens your security posture rather than weakens it.

Point 1: Establish Your Formal Change Management Policy

The foundation of any auditable change management process is a clear, documented policy. This is often the first document an auditor will ask for, as it establishes the official rules of engagement. Your policy must, at a minimum, define the following essential components:

The end-to-end process for requesting, evaluating, approving, and implementing all changes.
Clear roles and responsibilities, specifying who has the authority to request, approve, and implement changes.
Standards for documentation and record-keeping to ensure a complete audit trail is maintained.
The mandatory requirement for a risk and security impact assessment for all non-trivial changes.
A specific procedure for handling emergency changes that require an accelerated, yet controlled, workflow.

Auditor’s Tip: We look at the approval date on your policy to ensure it is a living document that has been formally reviewed and authorised by management, not a dusty file created just for the audit.

Point 2: Define and Classify Your Change Types

A one-size-fits-all change process is inefficient. By classifying changes, you can apply the right level of rigour to each situation, balancing agility with control.

Change Type	Description	Typical Approval Path
Standard / Repeatable	Low-risk, routine changes that follow a pre-approved, well-documented pattern (e.g., standard OS patching).	Pre-approved routines that follow a templated, fast-entry workflow.
Normal	Non-trivial changes that could affect confidentiality, integrity, or availability.	Requires a full pre-check, risk assessment, and formal review and approval.
Emergency	Urgent changes required to fix a critical incident or patch a severe vulnerability.	Follows a safe, shortened path for immediate action, with a mandatory retrospective review.

Point 3: Initiate and Document Every Change Request

A formal change request is the starting point for a defensible audit trail. Its purpose is to capture the “who, what, and why” of a proposed change before any action is taken. A complete change request form must capture:

What is being changed (e.g., which systems, applications, or infrastructure).
The business and/or security drivers for the change.
The systems, data, and users that will be affected.
The name of the change initiator who is formally requesting the change.

Auditor’s Tip: When sampling change records, the first thing checked is the existence of a formal request. If the trail starts with an email or a chat message, it is an immediate red flag.

Point 4: Conduct a Thorough Risk and Impact Assessment

This is the most critical thinking step. An auditor will look for evidence that this analysis was performed diligently. The assessment must cover:

Identify Technical and Security Impact: Assess how the change affects confidentiality, integrity, or availability. Consider impacts on logging, monitoring, and backups.
Consider Dependencies: Evaluate the ripple effect on other systems, third-party integrations, and underlying infrastructure.
Define a Rollback Plan: Detail the specific steps required to revert the change if it fails, including who is authorised to make the call.

Point 5: Enforce a Clear, Role-Based Approval Workflow

Clear approval is the cornerstone of accountability. Vague “team” approvals are insufficient; the process must require a formal sign-off from empowered authorities. Approvals should be obtained from:

A technical owner to validate technical feasibility.
A business owner to confirm alignment with business needs.
A security reviewer (for higher-risk changes) to ensure security controls are maintained.

Auditor’s Tip: Auditors will verify that approval signatures are from authorised individuals listed in your policy and are timestamped prior to implementation.

Point 6: Test All Changes in a Segregated Environment

This point creates a critical link between change management (Control 8.32) and the separation of development, testing, and production environments (Control 8.31). Testing must meet several key objectives:

Confirm functionality: Does the change deliver the intended outcome?
Verify security: Have any new vulnerabilities been introduced?
Check performance: Avoid unexpected degradation of service.
Document outcomes: Record issues found and their resolution.

Auditor’s Tip: Be prepared to show evidence—like screenshots, test logs, or QA sign-offs—that proves validation was performed in a non-production environment.

Point 7: Follow a Controlled Implementation and Verification Plan

The implementation phase should be a carefully managed rollout. A controlled deployment plan includes:

Scheduling the change within a sensible maintenance window.
Informing all relevant teams (IT, security, support) in advance.
Performing post-change checks to verify service operation.
Monitoring systems for unexpected alerts immediately following the change.

Point 8: Maintain a Complete and Traceable Audit Trail

If it isn’t documented, it didn’t happen. The change record (change log) is the primary piece of evidence that proves your process is functioning. To ensure full traceability, the final change record must contain:

The implementation date and time.
The name of the individual(s) who implemented the change.
The results of post-change verification tests.
Confirmation of whether a rollback was needed.
Any follow-up actions required.

Auditor’s Tip: A common mistake is leaving change records open indefinitely. Auditors look for a formal closure step confirming the process is complete.

Point 9: Ensure Staff Training and Awareness

Compliance is a habit that must be embedded into the culture. A multi-channel strategy ensures the process is understood:

Reference Wiki: For detailed “how-to” guides.
Workshops: For role-playing emergency scenarios.
Microlearning: For onboarding and periodic refreshers.

Point 10: Continuously Monitor, Review, and Improve

This point ensures your change management process remains relevant. This is the “continual improvement” cycle auditors look for. Key activities include:

Conducting regular reviews of the change process (Input for Clause 9.3).
Tracking metrics like change success rate and incident frequency.
Learning from failed changes through structured post-implementation reviews.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Frequently Asked Questions (FAQ)

What policies do I need for ISO 27001 Annex A 8.32?

You need a formal change management policy. This document should define the process for requesting and approving changes, impact assessment procedures, roles and responsibilities, and standards for documentation.

What should a complete change record look like for an audit?

A complete change record must include the initial request, timestamped sign-offs, documentation of independent test results, an execution log showing who performed the change and when, and a final closure note confirming the outcome.

How should emergency changes be handled to remain compliant?

Emergency changes must follow an accelerated but documented workflow. Define a safe shortcut with clear criteria. The process should require minimal but real authorisation, retrospective logging, and a mandatory post-implementation review.

Do I have to satisfy Annex A 8.32 for ISO 27001 certification?

Yes. For any organisation with an IT environment, this control is effectively mandatory. It is extremely difficult to justify excluding change management, as auditors expect a robust process to mitigate risks related to uncontrolled changes.

Conclusion

A well-implemented change management process transforms compliance from a burden into a strategic asset. It systematically reduces the risk of self-inflicted outages, strengthens your security posture, and provides a defensible record of diligence. Mastering change management builds resilience and fosters trust with auditors, customers, and partners.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Your 10-Point Audit Checklist for Mastering ISO 27001 Change Management (Annex A 8.32)

Table of contents