ISO 27001:2022 Clause 6.3 Planning Of Changes for SMEs

/ By
ISO 27001 Clause 6.3 For SME’s 2026

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Clause 6.3 Planning Of Changes without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Table of contents

What is ISO 27001 Clause 6.3 for SMEs?

Before you can effectively implement any part of the ISO 27001 standard, it is crucial to fully understand what it is asking of you. This section clarifies the official definition of Clause 6.3 and explains its practical implications for an SME.

The Official Definition

The standard itself is direct. The complete text for ISO 27001 Clause 6.3 states:

“When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”

Why Is This Clause Necessary?

This clause was added to make an existing best practice explicit within the standard. Your ISMS is the foundation of your security posture; unplanned changes can introduce unforeseen risks, vulnerabilities, or operational disruptions. By requiring changes to be planned, the standard ensures that your organisation manages the evolution of its ISMS thoughtfully.

The good news is that many of your existing processes can be used as evidence of this planning. Activities you already undertake, such as continual improvement, incident management, and internal audits, all contribute to fulfilling this requirement as they inherently involve planned responses and changes to the ISMS.

How to implement ISO 27001 Clause 6.3 for SMEs

Implementing Clause 6.3 effectively boils down to establishing and following a clear, repeatable process for managing change within your ISMS. This is not about creating complex bureaucracy; it is about ensuring consistency and control. The following checklist provides a practical roadmap.

1. Establish a Change Management Process

Create a formal, documented procedure that outlines how your organisation will plan, approve, implement, and review any changes to the ISMS.

  • The Challenge: Lack of a documented, consistently followed process.
  • The Solution: Develop a clear policy defining what constitutes a change and who can request one.
  • Auditor’s Focus: They will check the adequacy of this document immediately.

2. Assess the Impact of Changes

Before implementation, conduct a thorough assessment of the potential impact on information security, including new risks or opportunities.

  • The Challenge: Overlooking potential impacts or strictly focusing on technical outcomes.
  • The Solution: Involve relevant parties (IT, legal, department heads) to get a 360-degree view.
  • Auditor’s Focus: They will scrutinise past records to see if your impact assessments are sufficiently thorough.

3. Plan Changes in a Controlled Manner

A careful plan should consider the resources needed (people, budget, tools), realistic timelines, and testing protocols.

  • The Challenge: Inadequate planning leading to delays or disruptions.
  • The Solution: Develop detailed implementation plans for each change, assigning clear responsibilities.
  • Auditor’s Focus: Your implementation plans are key pieces of evidence proving you consider all necessary factors.

4. Authorise Changes

Ensure changes are reviewed and formally approved by the appropriate authority (e.g., a Change Advisory Board or a line manager) before implementation.

  • The Challenge: Implementing changes without proper authorisation.
  • The Solution: Define approval levels based on risk and maintain a signed trail of approvals.
  • Auditor’s Focus: The chain of authorisation is a critical audit trail they will examine.

5. Implement Changes as Planned

Once authorised, the change must be carried out according to the documented plan to avoid deviations.

  • The Challenge: Deviations from the plan leading to unexpected issues.
  • The Solution: Closely monitor implementation and have pre-defined rollback plans ready.
  • Auditor’s Focus: They will compare system logs or engineer notes against the original plan for consistency.

6. Test Changes

Thorough testing is non-negotiable. Changes must be rigorously tested to ensure they work as intended without introducing vulnerabilities.

  • The Challenge: Inadequate testing leading to post-implementation failure.
  • The Solution: Develop formal test plans including functional, security, and User Acceptance Testing (UAT).
  • Auditor’s Focus: Test plans and results are vital evidence of compliance.

7. Communicate Changes

Effective communication is key. All relevant stakeholders must be informed about the change in a timely manner.

  • The Challenge: Lack of communication leading to staff confusion.
  • The Solution: Develop a communication plan identifying who needs to know what, and when.
  • Auditor’s Focus: They will look for emails or meeting minutes to verify effective communication.

8. Review Changes

After implementation, review the change’s effectiveness to confirm it achieved its goal and to capture lessons learned.

  • The Challenge: Forgetting to review changes once they are “live”.
  • The Solution: Schedule mandatory post-implementation reviews for significant changes.
  • Auditor’s Focus: Post-implementation reports demonstrate a mature, learning process.

9. Document Changes

Maintain a clear, accurate record of all changes to the ISMS for accountability and auditing.

  • The Challenge: Difficulty keeping records up-to-date.
  • The Solution: Use a centralised log or system that links to other ISMS documentation.
  • Auditor’s Focus: They look for a complete chain of evidence from request to review.

10. Manage Emergency Changes

Your process must include a specific, expedited procedure for handling urgent security incidents while maintaining control.

  • The Challenge: Balancing speed with control.
  • The Solution: Define strict criteria for “emergencies” and ensure retrospective documentation is completed immediately after stability is restored.
  • Auditor’s Focus: They will test your emergency process for robustness to ensure it isn’t a loophole.

Preparing for Your Audit: What the Auditor Will Look For

Being prepared for your ISO 27001 audit is strategically important. An auditor’s role is to verify that your ISMS meets the standard’s requirements. Below is a checklist of what an auditor will examine to verify compliance with Clause 6.3.

Audit Checklist for Clause 6.3

  • Reviewing the Change Management Process: Do you have a formal policy? Evidence includes document reviews and interviews with IT/security personnel.
  • Assessing Impact Assessment Procedures: Do you consider security consequences? Evidence includes impact assessment templates and past change requests.
  • Evaluating Change Planning: Are resources and timelines considered? Evidence includes project plans and resource allocation records.
  • Examining Change Authorisation: Is there a clear sign-off? Evidence includes approval workflows and authorisation records.
  • Assessing Change Implementation: Did you follow the plan? Evidence includes system logs and configuration settings.
  • Evaluating Change Testing: Was it tested before going live? Evidence includes test cases, results, and reports.
  • Assessing Change Communication: Who was told? Evidence includes communication plans and stakeholder interviews.
  • Examining Change Review: Did you learn from it? Evidence includes post-implementation review reports.
  • Evaluating Change Documentation: Is the log complete? Evidence includes change management system records and audit trails.
  • Assessing Emergency Change Management: How do you handle crises? Evidence includes review of past emergency changes and retrospective documentation.

Fast Track ISO 27001 Clause 6.3 Compliance for SMEs with the ISO 27001 Toolkit

ISO 27001 Toolkit

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Clause 6.3 (Planning of changes) is about formalising good practices you likely already follow. It ensures that when you determine a need for changes to your Information Security Management System (ISMS), they are carried out in a planned and thoughtful manner. This is not designed to be an administrative burden but a way to turn the process of change from a potential weakness into a strategic strength, enhancing your overall resilience.

While SaaS compliance platforms often try to sell you “automated change workflows” or complex “deployment dashboards”, they cannot actually assess the 360-degree impact of a change on your unique business context or ensure your emergency retrospective documentation is completed. Those are human governance and operational tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the change framework you need without a recurring subscription fee.

1. Ownership: You Own Your Change History Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your change processes and store your implementation plans inside their proprietary system, you are essentially renting your own operational evolution.

  • The Toolkit Advantage: You receive the Change Management Procedure and Change Log templates in fully editable Word and Excel formats. These files are yours forever. You maintain permanent ownership of your records, such as your specific history of impact assessments and authorised approvals, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Pragmatic Change Management

Clause 6.3 is about consistency and control. You do not need a complex new software interface to manage what a well-structured procedure and a centralised change log already do perfectly for an SME.

  • The Toolkit Advantage: SMEs need processes that are repeatable but not bureaucratic. What they need is the governance layer to prove to an auditor that changes are tested and authorised. The Toolkit provides pre-written “10-Step Implementation Plans” and “Emergency Procedures” that formalise your existing agile or manual changes into an auditor-ready framework, without forcing your team to learn a new software platform just to log a system update.

3. Cost: A One-Off Fee vs. The “Change Request” Tax

Many compliance SaaS platforms charge more based on the number of “active changes”, “approvers”, or “system integrations” you track. For an SME that evolves quickly, these monthly costs can scale aggressively for very little added value.

  • The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you manage 5 significant changes a year or 50, the cost of your Change Planning Documentation remains the same. You save your budget for actual infrastructure improvements rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Evolution Strategy

SaaS tools often mandate specific ways to report on and monitor “ISMS changes”. If their system does not match your unique business model or specialised industry requirements, such as specific UAT (User Acceptance Testing) protocols, the tool becomes a bottleneck to efficiency.

  • The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Change Procedures to match exactly how you operate, whether you use formal Change Advisory Boards or lean, collaborative team sign-offs. You maintain total freedom to evolve your change strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see a formal policy for change, evidence of impact assessments (including security consequences), and a clear chain of authorisation for implementations. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Conclusion: Change as a Strength

Ultimately, ISO 27001 Clause 6.3 is not about creating restrictive rules. It is about ensuring that changes to your vital Information Security Management System are handled in a controlled, planned, and thoughtful way. By embracing a structured approach, you turn the process of change from a potential weakness into a strategic strength, enhancing your organisation’s overall resilience.

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top