An ISO 27001 Change Management Policy is your company’s plan for handling changes to your systems and processes in a safe way. Think of it as a set of rules to make sure a new update or change doesn’t accidentally cause a security problem. It’s all about being careful and organised before you change something important.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Change Management Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Change Management Policy Template Example
- ISO 27001 Change Management Policy FAQ
What is it?
This policy is a formal document that lays out the steps you must follow before making any changes to your information technology (IT) systems or security processes. It’s designed to make sure all changes are planned, reviewed, and tested properly to avoid security risks, service interruptions, or other problems.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: It helps you formalise how you handle important updates, like a new e-commerce plugin or a change to your Wi-Fi password.
- Tech Startups: It’s crucial for managing software updates, new feature releases, and changes to your cloud infrastructure.
- AI Companies: It’s essential for documenting and controlling changes to your AI models, algorithms, and the data you use to train them.
ISO 27001 Change Management Policy Template
It can be confusing to work out what to include in a change management policy or where to start. An ISO 27001 Policy Template that is pre written and ready to go can save you a lot of heart ache so that is why we have done the heavy lifting with the ISO 27001:2022 Change Management Policy Template.
Why you need it
You need this policy because changes, big or small, can open up new security gaps. Without a plan, you might introduce a vulnerability or accidentally break a security control. This policy helps you think through all the potential risks and makes sure you can fix any issues before they become a major problem.
When you need it
You need a change management policy in place as soon as your systems are live and you start making changes to them. You’ll use it every time you update software, change network settings, install new hardware, or modify a security procedure. It should be a part of your daily operations.
Who needs it?
Anyone who makes changes to your IT systems or security controls needs to follow this policy. This includes developers, system administrators, and IT support staff. Managers and leaders also need to be aware of it to ensure that the policy is being followed correctly.
Where you need it
This policy applies everywhere in your company where changes are made to your IT environment. This includes your servers, networks, applications, and cloud services. It doesn’t matter if the change is made in a data center or on a remote employee’s laptop; the rules are the same.
How to write it
Writing the policy should be straightforward. Start by defining what a “change” is in your company. Then, outline a step-by-step process for making changes, including:
- Submitting a change request.
- Reviewing the request for risks.
- Getting the change approved.
- Testing the change in a safe environment.
- Putting the change into action.
- Reviewing the change after it’s been made.
- Use simple language so everyone on your team can understand it.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Change Management Policy
- Understand ISO 27001 requirements
Understand the requirements of ISO 27001 Annex A 8.32 Change Management
- Define the ISO 27001 Change Management Policy purpose and objectives
Clearly state the policy’s role in securing information assets. Set specific objectives, like mitigating risks, complying with regulations, and ensuring business continuity. An example:
The purpose of this policy is to manage the risk posed by changes in the company. - Define the ISO 27001 Change Management Policy scope
Specify the systems, processes, and assets covered by the policy, including technical and non-technical aspects affected by changes.
- Assign change roles and responsibilities
Outline the responsibilities of change managers, advisory board members, IT teams, and stakeholders, defining their roles, authority, and accountability.
- Establish change request procedures
Define submission procedures, required documentation, and channels for change requests.
- Evaluate and assess changes
Establish criteria and processes to assess the impact and risks of proposed changes based on their nature and significance.
- Approve and authorise changes
Define criteria and procedures for approving changes, specifying roles and required documentation.
- Document changes
A register of changes is maintained.
- Plan and implement changes
Provide guidelines for planning, testing, and implementing approved changes, ensuring effective communication.
- Change Prioritisation / Classification
All change requests are prioritised in terms of benefit, urgency, effort required and potential impact on company operations.
- Change Risk Assessment
Changes are assessed for risk following the Risk Management Policy and Risk Management process.
- Change Impact Assessment
Changes are assessed for positive and negative impact to the customer and the company.
- Change Testing
Changes are tested in an isolated, controlled, and representative environment where feasible prior to implementation to minimise the risks to company processes, operations, security, and clients.
- Version Control
Software changes and updates are controlled with version control. Older versions are retained in accordance with retention and storage processes.
- Communicating Change
All users or user representatives impacted by a change are notified of the change.
- Roll Back
Procedures to roll back / recover from an unsuccessful change are in place where appropriate.
- Change Freeze
At certain critical times of the year, it may be necessary to impose a non-essential change freeze period.
A change freeze may be approved by senior management during which time only the highest priority changes will be approved and implemented. - Emergency Change
Emergency changes may operate outside the normal change process but must be approved by senior management. In some cases, events are critical enough that they must be rushed though, thereby creating an Emergency/Unscheduled Change. Each situation is different and as much consideration as possible should be given to the possible consequences of attempting this type of change. It is still necessary to obtain sufficient approval for the change, but this may be in the form of discussing the matter with a relevant service manager or section head and logging who it was discussed with and how it was approved.
- Unauthorised Changes
Unauthorised changes are tracked and reported to the Management Review Team meeting and escalated to senior management as required.
Unauthorised changes are subjective to the Continual Improvement process. - Document and track changes
Specify required documentation, such as change logs and records, capturing details, approvals, and implementation dates.
- Monitor and review
Set up processes for monitoring, auditing, and evaluating changes to ensure compliance, effectiveness, and continuous improvement.
- Communicate and educate
Clearly communicate the policy to employees and stakeholders, providing training on change management principles and best practices.
- Review and update
Regularly review and update the policy to adapt to technological advancements, regulatory changes, and organisational requirements.
How to implement it
To put the policy into action, you’ll need to train your team on the new process. You can use a ticketing system to manage change requests and approvals. Make sure everyone knows how to submit a request and what their role is in the process. It’s a good idea to hold regular meetings to review upcoming changes and discuss any potential issues.
Examples of using it for small businesses
If you run a small online shop, your change management policy might require you to test a new security plugin on a test site before you install it on your live store. This simple step prevents you from accidentally breaking your website or opening it up to hackers.
Examples of using it for tech startups
For a startup launching a new app, the policy would specify that a new feature must be tested by the quality assurance (QA) team before it’s released. It would also require a team lead to approve any changes to the app’s database.
Examples of using it for AI companies
For an AI company, your policy would cover changes to your AI model’s code or the data used for training. You would need to document why the change was made, what the expected outcome is, and how it was tested to ensure it didn’t create new risks.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to change management:
- ISO 27001:2022 Annex A 8.32 Change Management
- ISO 27001:2022 Annex A 5.22 Monitoring, review and change management of supplier services
ISO 27001 Change Management Policy Template Example
An example ISO 27001 Change Management Policy:
ISO 27001 Change Management Policy FAQ
To manage changes to your systems in a controlled way to prevent security risks.
No, it also applies to changes in your security processes and procedures.
The policy should specify which types of changes need formal approval.
Yes, it helps prevent simple mistakes that can have big consequences.
This policy is specifically focused on the security and risk side of changes, not just the project’s timeline.
You could face security breaches, system failures, or fail an ISO 27001 audit.
No, it’s a living document that you should continually use and review.
You should review it at least once a year or whenever there’s a big change in your business.
The policy should include a process for handling emergency changes, even if it’s a shortened version of the regular process.
Yes, any changes to your website, from new features to bug fixes, should be managed under this policy.
The policy should define who has the authority to approve different types of changes.
It provides clear evidence to auditors that you have a formal process for managing changes, which is a key requirement.
Yes, having a process for change control is a required part of the standard.
Find a good template and decide who will be in charge of writing and maintaining it.
Use a simple ticketing or tracking system to keep a record of all change requests.
