The 2022 update to the ISO27001 standard introduced a new control called ISO27001 Clause 6.3 planning of changes.
There is nothing to worry about here, so let us take a look at what it is and what you have to do.
First off, don’t panic.
I am Stuart Barker the ISO27001 Ninja and this is the new ISO27001 Control – ISO27001 Clause 6.3 Planning of Changes
What is ISO27001 Clause 6.3 Planning of Changes
The new control ISO27001 clause 6.3 planning of changes relates directly to changes to the information security management system and that you will make the changes in a planned manner.
There is nothing at all to worry about here and you will have been doing this all along.
It is just now explicit in the standard.
What does the ISO2001 standard say ISO27001 Clause 6.3 Planning of Changes?
When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.ISO27001 Clause 6.3
What you need to do for ISO27001 Clause 6.3 Planning of Changes
To meet the requirement all you have to do is plan your changes to your information security management system and evidence that you managed the change.
This is easy to do if you follow best practice and review and republish your documents annually. Make sure you have a documented plan that shows when you last did it and when you are going to do it again.
You will have a Documents and Records Policy and be following it.
It is good practice to have version control in your documents but also to keep previous revisions of documents / the information security management system so that you can revert back if needed.
The fact that you will already have continual improvement, incident management, internal audit policies and processes in place already factor in your planning for changes to the information security management system and can be used as evidence of such.