Your 10-Point Audit Checklist for ISO 27001 Clause 6.3: Planning of Changes

/ By
ISO 27001 Clause 6.3 Audit Checklist 2026

Introduction: Demystifying Change Planning in ISO 27001:2022

The ISO 27001:2022 update introduced Clause 6.3, ‘Planning of Changes’. For those preparing for an audit, this addition is not a complex hurdle but a formalisation of mature best practices: managing change in a deliberate, planned manner. As an auditor with over 30 years of experience, I view this clause as a critical governance tool rather than a bureaucratic obstacle.

This guide provides a comprehensive 10-point checklist detailing exactly how an auditor assesses compliance with Clause 6.3, ensuring your Information Security Management System (ISMS) is audit-ready.

Table of contents

What is ISO 27001 Clause 6.3?

The strategic purpose of Clause 6.3 is to ensure that changes to your ISMS are managed in a controlled, orderly fashion. It shifts operations from chaotic, ad-hoc adjustments to a structured approach that maintains the integrity of your security posture.

The Official Definition

“When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”
ISO 27001:2022 Clause 6.3

To pass the audit, you must provide objective evidence that you are applying this principle. The following checklist outlines the specific evidence auditors are trained to verify.

The Auditor’s Perspective: A 10-Point Checklist for Clause 6.3

In an audit, my primary goal is to find evidence that processes are effective and consistently followed. Below are the 10 key areas I examine to verify compliance with Clause 6.3.

1. Review the Change Management Process

I must confirm that a formal, documented change management process exists. Without a defined policy, change activity is inherently ad-hoc. A structured process demonstrates that the organisation values control and repeatability.

  • Evidence to Check: Documented policies and procedures.
  • Verification Method: Interviews with IT/security personnel and a walkthrough of the process against best practices (e.g., ITIL).

2. Assess Impact Assessment Procedures

Systematic assessment of the potential security impact of a proposed change is a key indicator of maturity. I look for a repeatable method used to evaluate risk before action is taken.

  • Evidence to Check: Impact assessment templates and past change requests.
  • Verification Method: Testing the process with a hypothetical scenario to ensure risks are evaluated prior to approval.

3. Evaluate Change Planning

Changes must be planned in a controlled manner. I look for detailed plans covering resources, timelines, and testing. This demonstrates foresight and prevents rushed executions.

  • Evidence to Check: Change implementation plans, resource allocation records, and timelines.
  • Verification Method: Interviews with project managers regarding specific past changes.

4. Examine Change Authorisation

Accountability is vital. I verify that changes are formally authorised by personnel with the appropriate level of authority. Unauthorised changes are a common source of security incidents.

  • Evidence to Check: Change approval workflows and authorisation records.
  • Verification Method: Cross-referencing approval levels against the type and sensitivity of the change.

5. Assess Change Implementation

This is where theory meets reality. I examine system logs and configuration settings to verify that the executed change matches the approved plan without unauthorised alterations.

  • Evidence to Check: System logs, configuration settings (before/after), and implementation records.
  • Verification Method: Direct observation of implementation activities where possible.

6. Evaluate Change Testing

Thorough testing before deployment is your primary defence against introducing vulnerabilities. Proper test plans and results demonstrate a commitment to stability.

  • Evidence to Check: Test plans, test cases, and results/reports.
  • Verification Method: Interviews with testers and review of independent testing data.

7. Assess Change Communication

A technically perfect change can fail if stakeholders are unprepared. I ensure changes are communicated to relevant parties effectively to minimise disruption.

  • Evidence to Check: Communication plans, emails, and briefing records.
  • Verification Method: Analysis of communication channels used for different change types.

8. Examine Change Review

I look for post-implementation reviews to assess effectiveness and capture lessons learned. This closes the loop and demonstrates a commitment to continual improvement.

  • Evidence to Check: Post-implementation review reports and lessons learned documentation.
  • Verification Method: Analysis of change success rates vs. incident rates.

9. Evaluate Change Documentation

If it is not documented, it did not happen. Detailed change logs and audit trails are definitive proof of a controlled process and are essential for incident investigation.

  • Evidence to Check: Change management system records, logs, and audit trails.
  • Verification Method: Verifying data integrity and completeness of the records.

10. Assess Emergency Change Management

Emergency changes require speed but must not abandon control. I verify an expedited process exists that ensures urgent changes are still documented, authorised, and reviewed.

  • Evidence to Check: Emergency change procedures and past emergency request logs.
  • Verification Method: Simulation of an emergency scenario to test the process flow.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

From Theory to Practice: A 10-Point Implementation Guide

To comply with Clause 6.3, organisations must embed a planned approach into daily operations. Below are common challenges and solutions for implementing a compliant process.

1. Establish the Process

Challenge: Lack of documented procedures and staff resistance.
Solution: Develop a concise policy and provide training that emphasises the benefits of reduced risk and improved stability.

2. Assess Impact

Challenge: Overlooking potential negative consequences.
Solution: Involve interested parties in the assessment and use established risk methodologies to evaluate positive and negative impacts.

3. Plan with Control

Challenge: Inadequate planning leading to project delays.
Solution: Develop detailed implementation plans with clear responsibilities and conduct testing before production deployment.

4. Formalise Authorisation

Challenge: Ambiguous approval authority.
Solution: Define clear approval levels for different change types and track all approvals via a central system.

5. Monitor Implementation

Challenge: Deviations from the plan causing unexpected issues.
Solution: Use project management tools to track progress and strictly maintain rollback plans.

6. Rigorous Testing

Challenge: Inadequate testing causing post-deployment failure.
Solution: Mandate formal test plans and use various testing methods to ensure stability.

7. Effective Communication

Challenge: Stakeholder confusion due to poor communication.
Solution: Create specific communication plans for each change using multiple channels (email, intranet).

8. Post-Implementation Review

Challenge: Failing to capture lessons learned.
Solution: Schedule mandatory reviews for significant changes and incorporate findings into future planning.

9. Maintenance of Records

Challenge: Outdated or fragmented records.
Solution: Utilise a centralised change management system integrated with the risk register and asset inventory.

10. Emergency Management

Challenge: Balancing speed with governance.
Solution: Define strict criteria for “emergencies” and establish an expedited approval path that still requires retrospective documentation.

Conclusion: Planned Change is Good Governance

ISO 27001 Clause 6.3 is not a compliance obstacle; it is a framework for resilience. By embracing a structured approach, you protect your organisation from the risks of chaotic change. The ultimate evidence of compliance is a documented, consistently followed process. Auditors do not look for complex tools; they look for consistent processes that can be traced from planning to review.

About the Author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, Stuart combines academic rigour with extensive operational experience, including leading Data Governance for General Electric (GE). As a qualified ISO 27001 Lead Auditor and Lead Implementer, he has guided hundreds of organisations through the audit lifecycle.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Stuart Barker - High Table - ISO27001 Director
Stuart Barker, an ISO 27001 expert and thought leader, is the author of this content.
Shopping Basket
Scroll to Top