Table of contents
How to audit ISO 27001 Clause 6.3
The ISO 27001 Clause 6.3 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 6.3 Planning Of Changes.
The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Review the Change Management Process
This involves verifying the existence and adequacy of a documented change management process, ensuring it aligns with best practices.
Challenges:
Resistance to change from staff, lack of management support for the process, difficulty in enforcing adherence to the process, keeping the documentation up-to-date and relevant.
Audit Techniques:
Document review (policies, procedures), interviews with IT and security personnel, walkthrough of the change management process, comparison against best practices (e.g., ITIL).
Assess Impact Assessment Procedures
Ensuring the organization has robust procedures for assessing the potential impact of changes on the ISMS.
Challenges:
Difficulty in accurately predicting the impact of complex changes, lack of expertise in impact assessment, time constraints leading to rushed assessments, inconsistent application of assessment criteria.
Audit Techniques:
Review of impact assessment templates and guidelines, interviews with change management personnel, examination of past change requests and their impact assessments, testing the impact assessment process with a hypothetical change scenario.
Evaluate Change Planning
Verifying that changes are planned in a controlled manner, considering resources, timelines, testing, and communication.
Challenges:
Unrealistic timelines, inadequate resource allocation, poor communication between teams, lack of detailed planning leading to unforeseen issues, difficulty in coordinating complex changes.
Audit Techniques:
Review of change implementation plans, interviews with project managers and change implementers, examination of resource allocation for changes, analysis of change schedules and timelines, review of test plans and results.
Examine Change Authorisation
Ensuring that changes are authorised by appropriate personnel before implementation.
Challenges:
Unclear authorisation levels, bypassing the approval process, lack of segregation of duties, difficulty in tracking approvals, pressure to approve changes quickly without proper scrutiny.
Audit Techniques:
Review of change approval workflows, interviews with approvers, examination of change authorization records, verification of approval levels for different types of changes.
Assess Change Implementation
Verifying that changes are implemented as planned and documented.
Challenges:
Deviations from the planned implementation, errors during implementation, lack of rollback procedures, inadequate post-implementation validation, communication breakdowns during implementation.
Audit Techniques:
Observation of change implementation activities, review of change implementation records, interviews with change implementers, examination of system logs and configuration settings before and after changes, testing of implemented changes.
Evaluate Change Testing
Ensuring that changes are thoroughly tested before deployment to the production environment.
Challenges:
Insufficient testing time, inadequate test environments, lack of comprehensive test cases, difficulty in simulating real-world scenarios, poor communication between testers and developers.
Audit Techniques:
Review of test plans and test cases, examination of test results and reports, interviews with testers, observation of testing activities, independent testing of implemented changes.
Assess Change Communication
Verifying that changes are communicated to relevant interested parties in a timely and effective manner.
Challenges:
Identifying all relevant stakeholders, communicating complex technical information in a clear and understandable way, ensuring consistent messaging across different channels, lack of feedback mechanisms, communication overload.
Audit Techniques:
Review of communication plans and records, interviews with interested parties, analysis of communication effectiveness surveys, examination of communication channels used for different types of changes.
Examine Change Review
Ensuring that changes are reviewed after implementation to assess their effectiveness and identify lessons learned.
Challenges:
Lack of time for post-implementation reviews, difficulty in objectively assessing the success of a change, failure to capture lessons learned, reluctance to admit mistakes, lack of follow-up on identified improvements.
Audit Techniques:
Review of post-implementation review reports, interviews with change management personnel, examination of lessons learned documentation, analysis of change success rates and incident rates.
Evaluate Change Documentation
Verifying that accurate records of all changes to the ISMS are maintained.
Challenges:
Maintaining accurate and up-to-date records, data integrity issues, lack of version control, difficulty in retrieving historical records, inconsistent record-keeping practices.
Audit Techniques:
Review of change management system records, examination of change logs and audit trails, interviews with record keepers, verification of data integrity and completeness of change records.
Assess Emergency Change Management
Verifying the existence and effectiveness of a process for managing emergency changes.
Challenges:
Balancing the need for speed with the need for control, bypassing normal procedures in emergencies, inadequate testing of emergency changes, difficulty in documenting emergency changes, communication challenges during emergencies.
Audit Techniques:
Review of emergency change procedures, interviews with IT and security personnel, examination of past emergency change requests and their handling, testing the emergency change process with a simulated scenario.
Further Reading
How to conduct an ISO 27001 Internal Audit
ISO 27001 Clause 9.2 Internal Audit
