ISO 27001 Change Management Policy Beginner’s Guide

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Change Management Policy

1. Understand ISO 27001 requirements

   Understand the requirements of ISO 27001 Annex A 8.32 Change Management

2. Define the ISO 27001 Change Management Policy purpose and objectives

   Clearly state the policy’s role in securing information assets. Set specific objectives, like mitigating risks, complying with regulations, and ensuring business continuity. An example:
   
   The purpose of this policy is to manage the risk posed by changes in the company.

3. Define the ISO 27001 Change Management Policy scope

   Specify the systems, processes, and assets covered by the policy, including technical and non-technical aspects affected by changes.

4. Assign change roles and responsibilities

   Outline the responsibilities of change managers, advisory board members, IT teams, and stakeholders, defining their roles, authority, and accountability.

5. Establish change request procedures

   Define submission procedures, required documentation, and channels for change requests.

6. Evaluate and assess changes

   Establish criteria and processes to assess the impact and risks of proposed changes based on their nature and significance.

7. Approve and authorise changes

   Define criteria and procedures for approving changes, specifying roles and required documentation.

8. Document changes

   A register of changes is maintained.

9. Plan and implement changes

   Provide guidelines for planning, testing, and implementing approved changes, ensuring effective communication.

10. Change Prioritisation / Classification

    All change requests are prioritised in terms of benefit, urgency, effort required and potential impact on company operations.

11. Change Risk Assessment

    Changes are assessed for risk following the Risk Management Policy and Risk Management process.

12. Change Impact Assessment

    Changes are assessed for positive and negative impact to the customer and the company.

13. Change Testing

    Changes are tested in an isolated, controlled, and representative environment where feasible prior to implementation to minimise the risks to company processes, operations, security, and clients.

14. Version Control

    Software changes and updates are controlled with version control. Older versions are retained in accordance with retention and storage processes.

15. Communicating Change

    All users or user representatives impacted by a change are notified of the change.

16. Roll Back

    Procedures to roll back / recover from an unsuccessful change are in place where appropriate.

17. Change Freeze

    At certain critical times of the year, it may be necessary to impose a non-essential change freeze period.
    A change freeze may be approved by senior management during which time only the highest priority changes will be approved and implemented.

18. Emergency Change

    Emergency changes may operate outside the normal change process but must be approved by senior management. In some cases, events are critical enough that they must be rushed though, thereby creating an Emergency/Unscheduled Change. Each situation is different and as much consideration as possible should be given to the possible consequences of attempting this type of change. It is still necessary to obtain sufficient approval for the change, but this may be in the form of discussing the matter with a relevant service manager or section head and logging who it was discussed with and how it was approved.

19. Unauthorised Changes

    Unauthorised changes are tracked and reported to the Management Review Team meeting and escalated to senior management as required.
    Unauthorised changes are subjective to the Continual Improvement process.

20. Document and track changes

    Specify required documentation, such as change logs and records, capturing details, approvals, and implementation dates.

21. Monitor and review

    Set up processes for monitoring, auditing, and evaluating changes to ensure compliance, effectiveness, and continuous improvement.

22. Communicate and educate

    Clearly communicate the policy to employees and stakeholders, providing training on change management principles and best practices.

23. Review and update

    Regularly review and update the policy to adapt to technological advancements, regulatory changes, and organisational requirements.