ISO 27001 Planning of Changes – New Control
The 2022 update to the ISO 27001 standard introduced a new control called ISO 27001:2022 Clause 6.3 planning of changes.
There is nothing to worry about here, so let us take a look at what it is and what you have to do.
First off, don’t panic.
Table of contents
What is ISO 27001 Clause 6.3 Planning of Changes?
The new control ISO 27001 clause 6.3 planning of changes relates directly to changes to the information security management system and that you will make the changes in a planned manner.
There is nothing at all to worry about here and you will have been doing this all along.
It is just now explicit in the standard.
ISO 27001 Clause 6.3 Definition
ISO 27001 defines ISO 27001 Clause 6.3 as:
When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.
ISO 27001:2022 Clause 6.3
How to implement ISO 27001 Clause 6.3
To meet the requirement all you have to do is plan your changes to your information security management system and evidence that you managed the change.
This is easy to do if you follow best practice and review and republish your documents annually. Make sure you have a documented plan that shows when you last did it and when you are going to do it again.
You will have a Documents and Records Policy and be following it.
You will use the management review team to sign off your changes and you will update your communication plan with evidence of the communications taking place to communicate those changes.
It is good practice to have version control in your documents but also to keep previous revisions of documents / the information security management system so that you can revert back if needed.
The fact that you will already have continual improvement, incident management, internal audit policies and processes in place already factor in your planning for changes to the information security management system and can be used as evidence of such.
ISO 27001 Clause 6.3 Implementation Checklist
Planning Of Changes ISO 27001 Clause 6.3 Implementation Checklist:
1. Establish a Change Management Process
Define a formal process for managing changes to the ISMS, including procedures for planning, approving, implementing, and reviewing changes.
Challenge:
Lack of a documented and consistently followed process. Resistance to adopting formal procedures.
Solution:
Develop a clear and concise change management policy and procedure. Provide training to all relevant personnel. Emphasise the benefits of a formal process (e.g., reduced risk, improved stability).
2. Assess the Impact of Changes
Before implementing any change, conduct a thorough assessment of its potential impact on the ISMS, including risks and opportunities.
Challenge:
Overlooking potential impacts. Difficulty in predicting the consequences of complex changes.
Solution:
Involve relevant interested parties in the impact assessment. Use risk assessment methodologies to identify potential risks. Consider both positive and negative impacts.
3. Plan Changes in a Controlled Manner
Plan changes carefully, considering factors such as resources, timelines, testing, and communication.
Challenge:
Inadequate planning leading to delays or disruptions. Difficulty in coordinating complex changes.
Solution:
Develop detailed implementation plans for each change. Assign clear responsibilities and timelines. Conduct thorough testing before implementing changes in production.
4. Authorise Changes
Obtain appropriate authorisation before implementing any change.
Challenge:
Lack of clear approval authority. Implementing changes without proper authorisation.
Solution:
Define clear approval levels for different types of changes. Establish a formal change approval process. Use a change management system to track approvals.
5. Implement Changes as Planned
Implement changes according to the documented plan.
Challenge:
Deviations from the plan leading to unexpected issues. Difficulty in managing changes during implementation.
Solution:
Closely monitor the implementation process. Use project management tools to track progress. Have rollback plans in place in case of unforeseen issues.
6. Test Changes
Thoroughly test changes before they are deployed.
Challenge:
Inadequate testing leading to problems.
Solution:
Develop test plans. Use different testing methods.
7. Communicate Changes
Communicate changes to relevant interested parties in a timely and effective manner.
Challenge:
Lack of communication leading to confusion and disruption. Difficulty in reaching all affected parties.
Solution:
Develop a communication plan for each change. Use different communication channels (e.g., email, intranet, meetings). Provide clear and concise information about the change.
8. Review Changes
After a change has been implemented, review its effectiveness and identify any lessons learned.
Challenge:
Forgetting to review changes. Not capturing lessons learned.
Solution:
Schedule post-implementation reviews for all significant changes. Document lessons learned and incorporate them into future change planning.
9. Document Changes
Maintain accurate records of all changes to the ISMS.
Challenge:
Difficulty in keeping change records up-to-date. Lack of integration with other ISMS documentation.
Solution:
Use a centralised change management system. Integrate change records with other ISMS documentation (e.g., risk register, asset inventory).
10. Manage Emergency Changes
Have a process in place for managing emergency changes that need to be implemented quickly.
Challenge:
Difficulty in balancing speed with control during emergency changes.
Solution:
Define clear criteria for emergency changes. Establish an expedited change approval process. Ensure that emergency changes are still documented and reviewed.
ISO 27001 Clause 6.3 Audit Checklist
How to audit ISO 27001 Clause 6.3 Planning Of Changes
1. Review the Change Management Process
Verify the existence and adequacy of a documented change management process.
- Document review (policies, procedures)
- interviews with IT and security personnel
- walkthrough of the change management process
- comparison against best practices (e.g., ITIL)
2. Assess Impact Assessment Procedures
Ensure the organization has procedures for assessing the impact of changes on the ISMS.
- Review of impact assessment templates and guidelines
- interviews with change management personnel
- examination of past change requests and their impact assessments
- testing the impact assessment process with a hypothetical change scenario
3. Evaluate Change Planning
Verify that changes are planned in a controlled manner, considering resources, timelines, testing, and communication.
- Review of change implementation plans
- interviews with project managers and change implementers
- examination of resource allocation for changes
- analysis of change schedules and timelines
- review of test plans and results
4. Examine Change Authorisation
Ensure that changes are authorised by appropriate personnel before implementation.
- Review of change approval workflows
- interviews with approvers
- examination of change authorisation records
- verification of approval levels for different types of changes
5. Assess Change Implementation
Verify that changes are implemented as planned.
- Observation of change implementation activities
- review of change implementation records
- interviews with change implementers
- examination of system logs and configuration settings before and after changes
- testing of implemented changes
6. Evaluate Change Testing
Ensure that changes are thoroughly tested before deployment to the production environment.
- Review of test plans and test cases
- examination of test results and reports
- interviews with testers
- observation of testing activities
- independent testing of implemented changes
7. Assess Change Communication
Verify that changes are communicated to relevant interested parties in a timely and effective manner.
- Review of communication plans and records
- interviews with interested parties
- analysis of communication effectiveness surveys
- examination of communication channels used for different types of changes
8. Examine Change Review
Ensure that changes are reviewed after implementation to assess their effectiveness and identify lessons learned.
- Review of post-implementation review reports
- interviews with change management personnel
- examination of lessons learned documentation
- analysis of change success rates and incident rates
9. Evaluate Change Documentation
Verify that accurate records of all changes to the ISMS are maintained.
- Review of change management system records
- examination of change logs and audit trails
- interviews with record keepers
- verification of data integrity and completeness of change records
10. Assess Emergency Change Management
Verify the existence and effectiveness of a process for managing emergency changes.
- Review of emergency change procedures
- interviews with IT and security personnel
- examination of past emergency change requests and their handling
- testing the emergency change process with a simulated scenario
ISO 27001 Templates
Implementing ISO 27001 can be a significant undertaking and incur significant ISO 27001 Costs. To streamline the process and potentially save valuable time and resources, consider utilising pre-written ISO 27001 templates. This ISO 27001 Toolkit offers a comprehensive set of resources specifically designed for those seeking to achieve ISO 27001 certification independently. With this toolkit, you can potentially build your Information Security Management System (ISMS) within a week and be ready for certification within 30 days.
