ISO 27001 Annex A 8.32 SME Guide: Change Management

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Annex A 8.32 Change Management without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Annex A 8.32 Change Management (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 8.32 is your safety catch. It is not about slowing you down with bureaucracy; it is about stopping you from breaking your own business. Small businesses often prioritise speed, but an untested update can take your website offline or expose your database. This control mandates a simple process to Request, Assess, Approve, and Implement changes so you can move fast without breaking things.

Core requirements for compliance include:

Define “Change”: This is not just for software code. It covers changes to your infrastructure (e.g. firewall rules), cloud settings (e.g. AWS permissions), and even vendor swaps.
The “Four-Step” Lifecycle: You need a simple workflow: Request (What are we doing?), Assess (What are the risks?), Approve (Authorisation by a manager/peer), and Implement (Do the work).
The “Rollback” Plan: Before you push a change, you must know how to undo it. If the update crashes the system, can you revert to the previous version in 10 minutes? If not, do not proceed.
Segregation of Duties: Ideally, the person building the change should not be the only one approving it. In a small team, a simple “peer review” or a “thumbs up” from a second person counts as independent authorisation.
Testing is Mandatory: Never test in production. Use a staging site or a test device first. If you push code straight to live without testing, you are non-compliant.

Audit Focus: Auditors will look for “The Ticket Trail”:

The Record: “Show me the ticket or log for the last major update you made. Is it documented?”
The Approval: “Who authorised this change? Show me the manager’s approval (e.g. email, Jira comment, or Slack message).”
The Safety Net: “What was your rollback plan for this change? Where is it written down?”

SME Change Management Checklist (Audit Prep):

Stage	Action Required	SME Evidence Example
Request	Document the intent.	Jira Ticket: “Update Payment Gateway Plugin”.
Assess	Check the risk.	Ticket Comment: “Risk: High. Downtime possible.”
Approve	Get permission.	Slack msg: “@Dave, approved to deploy tonight.”
Deploy	Execute & Verify.	Log entry: “Deployed successful. Site active.”
Rollback	Have an undo button.	“Backup taken at 17:00 before deployment.”

What is ISO 27001 Annex A 8.32 for SMEs?
Why Small Businesses Fail This Control
The Simple 4-Step Process for SMEs
Practical Examples for Small Businesses
- Scenario: Switching to Microsoft 365
- Scenario: Updating Your Website Plugin
What the Auditor Will Ask
Summary Checklist
Fast Track ISO 27001 Annex A 8.32 Compliance for SMEs with the ISO 27001 Toolkit

What is ISO 27001 Annex A 8.32 for SMEs?

In plain English, Annex A 8.32 requires you to have a set of rules for making changes to your technology and information security systems. The standard states that changes to information processing facilities and information systems must be subject to change management procedures.

For a small business, this does not mean filling out a 10-page form to update an app. It means having a process to ask: “If we change this, what could go wrong, and how do we fix it if it does?”

Why Small Businesses Fail This Control

Small businesses often prize speed. You want to ship that new feature or install that new tool now. This speed often leads to skipping checks, resulting in:

Downtime: An untested update crashes your payment gateway on a Friday afternoon.
Security Holes: A firewall change meant to help a developer accidentally opens your database to the entire internet.
Data Loss: Moving files to a new server without a backup plan results in lost client records.

The Simple 4-Step Process for SMEs

To comply with ISO 27001 without slowing your business down, use this simplified change management lifecycle:

1. Request and Plan

Before touching a live system, write down what you are going to do. This can be a simple ticket in Jira, Trello, or even a standardised email. Include:

What is changing?
Why are we doing it?
What is the risk? (Low, Medium, High)

2. Assess and Approve

Have a “second pair of eyes” look at the plan. If you are a solo founder, this might be a checklist you force yourself to review. For teams, a manager or technical lead must say “Yes” before the change happens. This is your authorisation.

3. Test (The Sandbox)

Never test in production. Apply the change in a safe environment first. If you are updating a website, use a staging site. If you are installing new software, test it on a single laptop before rolling it out to the whole company.

4. Implement and Fallback

Make the change. Crucially, have a “rollback plan” ready. If the update fails, how do you get back to the state you were in 10 minutes ago? If you cannot answer this, do not proceed.

Practical Examples for Small Businesses

Scenario: Switching to Microsoft 365

Bad Practice: You buy the licences on Monday and switch everyone’s email over on Tuesday morning.
ISO 27001 Way: You plan the migration, test the settings on one account, back up all old emails, and schedule the switch for the weekend to minimise disruption.

Scenario: Updating Your Website Plugin

Bad Practice: Clicking “Update All” on your WordPress dashboard.
ISO 27001 Way: The developer tests the updates on a staging site. They check for conflicts. Once confirmed safe, they schedule the live update and take a backup immediately before clicking the button.

What the Auditor Will Ask

When the ISO 27001 auditor visits your small business, they will look for evidence that you are not just “winging it”. Be ready for these questions:

“Can you show me the log of the last major change you made to your IT systems?”
“Who authorised that change?”
“Show me the risk assessment you did before moving your data to the cloud.”
“What happens if this change fails? Show me your rollback plan.”

Summary Checklist

Document every significant change (tickets or logs).
Separate development/testing from live production systems.
Approve changes formally (even a “Thumbs Up” in Slack can count if logged).
Plan for failure (always have a backup).

Fast Track ISO 27001 Annex A 8.32 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 8.32 (Change management) is the safety barrier that ensures changes to technology and information systems are controlled and documented. Small businesses often prize speed, but rushing changes can lead to downtime, security holes, and data loss. This control requires a simple process to ask: “If we change this, what could go wrong, and how do we fix it if it does?”

While SaaS compliance platforms often try to sell you “automated change tracking” or complex “workflow approval dashboards”, they cannot actually perform a risk assessment of your unique technology changes or ensure you have a viable “rollback plan”. Those are human technical and governance tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the change framework you need without a recurring subscription fee.

1. Ownership: You Own Your Change Management Logic Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your change procedures and store your approval logs inside their proprietary system, you are essentially renting your own operational stability.

The Toolkit Advantage: You receive the Change Management Policy and Change Request Templates in fully editable Word and Excel formats. These files are yours forever. You maintain permanent ownership of your records, such as your specific history of risk assessments and rollback plans, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Agile and Small Teams

Annex A 8.32 is about formalising leadership direction. You do not need a complex new software interface to manage what a simple ticket in Jira or a logged Slack approval already does perfectly.

The Toolkit Advantage: SMEs need to move fast without “winging it”. What they need is the governance layer to prove to an auditor that changes are authorised. The Toolkit provides pre-written “Simplified Change Lifecycles” and “Checklists” that formalise your existing speed into an auditor-ready framework, without forcing your team to learn a new software platform just to log a website plugin update.

3. Cost: A One-Off Fee vs. The “Change” Tax

Many compliance SaaS platforms charge more based on the number of “active changes”, “approvers”, or “integrated tickets” you track. For an SME, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you process 5 changes a month or 50, the cost of your Change Management Documentation remains the same. You save your budget for actual technology upgrades rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Operational Strategy

SaaS tools often mandate specific ways to report on and monitor “change management”. If their system does not match your unique business model or specialised industry requirements, such as a specific “Go/No-Go” gate, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Change Procedures to match exactly how you operate, whether you use formal CAB reviews or lean, collaborative team sign-offs. You maintain total freedom to evolve your operational strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see proof that changes are not made directly to live systems without authorisation, testing, and a fallback plan. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 8.32 Change Management for SMEs

Table of contents