For a small business, “change management” often sounds like bureaucratic red tape. You might think it is something only large corporations need. However, in the world of information security, uncontrolled change is one of the fastest ways to break your business.
ISO 27001 Annex A 8.32 exists to prevent the “oops” moments. It ensures that when you update software, switch email providers, or alter a business process, you do not accidentally expose customer data or take your website offline.
What is ISO 27001 Annex A 8.32?
In plain English, Annex A 8.32 requires you to have a set of rules for making changes to your technology and information security systems. The standard states that changes to information processing facilities and information systems must be subject to change management procedures.
For a small business, this does not mean filling out a 10-page form to update an app. It means having a process to ask: “If we change this, what could go wrong, and how do we fix it if it does?”
Why Small Businesses Fail This Control
Small businesses often prize speed. You want to ship that new feature or install that new tool now. This speed often leads to skipping checks, resulting in:
- Downtime: An untested update crashes your payment gateway on a Friday afternoon.
- Security Holes: A firewall change meant to help a developer accidentally opens your database to the entire internet.
- Data Loss: Moving files to a new server without a backup plan results in lost client records.
The Simple 4-Step Process for SMEs
To comply with ISO 27001 without slowing your business down, use this simplified change management lifecycle:
1. Request and Plan
Before touching a live system, write down what you are going to do. This can be a simple ticket in Jira, Trello, or even a standardised email. Include:
- What is changing?
- Why are we doing it?
- What is the risk? (Low, Medium, High)
2. Assess and Approve
Have a “second pair of eyes” look at the plan. If you are a solo founder, this might be a checklist you force yourself to review. For teams, a manager or technical lead must say “Yes” before the change happens. This is your authorisation.
3. Test (The Sandbox)
Never test in production. Apply the change in a safe environment first. If you are updating a website, use a staging site. If you are installing new software, test it on a single laptop before rolling it out to the whole company.
4. Implement and Fallback
Make the change. Crucially, have a “rollback plan” ready. If the update fails, how do you get back to the state you were in 10 minutes ago? If you cannot answer this, do not proceed.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Practical Examples for Small Businesses
Scenario: Switching to Microsoft 365
Bad Practice: You buy the licences on Monday and switch everyone’s email over on Tuesday morning.
ISO 27001 Way: You plan the migration, test the settings on one account, back up all old emails, and schedule the switch for the weekend to minimise disruption.
Scenario: Updating Your Website Plugin
Bad Practice: Clicking “Update All” on your WordPress dashboard.
ISO 27001 Way: The developer tests the updates on a staging site. They check for conflicts. Once confirmed safe, they schedule the live update and take a backup immediately before clicking the button.
What the Auditor Will Ask
When the ISO 27001 auditor visits your small business, they will look for evidence that you are not just “winging it”. Be ready for these questions:
- “Can you show me the log of the last major change you made to your IT systems?”
- “Who authorised that change?”
- “Show me the risk assessment you did before moving your data to the cloud.”
- “What happens if this change fails? Show me your rollback plan.”
Summary Checklist
- Document every significant change (tickets or logs).
- Separate development/testing from live production systems.
- Approve changes formally (even a “Thumbs Up” in Slack can count if logged).
- Plan for failure (always have a backup).
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
