In this ultimate how to audit guide to ISO 27001 Clause 6.3 Planning Of Changes, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Change Management Policy Formalisation Verified
- 2. Change Request Documentation Integrity Confirmed
- 3. Security Impact Assessment Completion Validated
- 4. Technical Change Authorisation Records Verified
- 5. Back-out and Recovery Planning Documentation Present
- 6. Post-Implementation Review (PIR) Execution Confirmed
- 7. Segregation of Duties in Change Lifecycle Validated
- 8. Emergency Change Procedure Activation Logs Verified
- 9. Stakeholder Communication and Notification Records Present
- 10. Change Window and Resource Planning Evidence Confirmed
1. Change Management Policy Formalisation Verified
Verification Criteria: A documented policy exists that defines the scope of changes (significant vs. minor), roles, responsibilities, and the mandatory stages of the change lifecycle.
Required Evidence: Approved Change Management Policy with version control and evidence of communication to relevant technical staff.
Pass/Fail Test: If the policy does not explicitly define what constitutes a “significant change” requiring security impact assessment, mark as Non-Compliant.
2. Change Request Documentation Integrity Confirmed
Verification Criteria: Every modification to the ISMS scope or technical environment is preceded by a formal record containing the description, justification, and proposed implementation date.
Required Evidence: A sample of 10 recent tickets from the Change Management System (e.g., Jira, ServiceNow) showing complete header data.
Pass/Fail Test: If any “Closed” change record is found without an initial justification or description of the original state, mark as Non-Compliant.
3. Security Impact Assessment Completion Validated
Verification Criteria: Each proposed change undergoes a specific review to identify potential risks to confidentiality, integrity, and availability prior to approval.
Required Evidence: Risk assessment logs or “Security Impact” fields within the change records for all high-priority modifications.
Pass/Fail Test: If the security impact assessment is treated as a generic “Yes/No” checkbox without a descriptive risk analysis for high-risk changes, mark as Non-Compliant.
