Change management is the controlled process of planning, reviewing, and implementing changes to an organisation’s systems, services, or processes. In the context of ISO 27001, it ensures that any changes, whether planned or unplanned, do not negatively impact the confidentiality, integrity, or availability of information. It is a key preventative measure to avoid new vulnerabilities.
Key Components & Examples
- Controlled Process: A formal process for requesting, approving, and tracking changes. This often involves a Change Advisory Board (CAB) to review the security implications of a proposed change.
- Risk Assessment: Before a change is implemented, its potential impact on information security is assessed. For example, a software update must be evaluated for new vulnerabilities it might introduce.
- Communication: All relevant stakeholders are informed about the change, its timeline, and potential impact.
- Documentation: All changes, including their approval and implementation, are formally documented and recorded for audit purposes.
ISO 27001 Context
Change management is a critical part of the control environment in ISO 27001, addressed in ISO 27001 Annex A 8.32 Change Management. It is essential for maintaining the integrity and security of the Information Security Management System (ISMS) over time, ensuring that the organisation remains compliant and protected as its systems evolve.
