Table of contents
- ISO 27002 Change Management
- What is ISO 27002:2022 Control 8.32?
- Definition of ISO 27002 Control 8.32
- Purpose of ISO 27002 Control 8.32
- Ownership of ISO 27002 Control 8.32
- Compliance Guidance
- Supplementary Guidance on ISO 27002 Control 8.32
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.32 FAQ
- ISO 27002 Control 8.32 Attributes Table
ISO 27002 Change Management
Change management is essentially a roadmap for navigating transitions. While it generally focuses on adapting people, processes, and organisational culture, its meaning shifts significantly within IT. Here, it refers to the structured approach for managing modifications to systems, products, or software platforms.
In the context of information security, IT change management is crucial. It provides a framework for organisations to smoothly integrate new technologies and processes. This is vital in today’s dynamic environment where security threats evolve constantly, and businesses must adapt quickly.
Management demands agility in embracing new technologies. IT teams must efficiently implement regular service updates to address evolving security and business needs. Whether introducing new services, maintaining existing ones, or resolving code issues, a robust IT change management process is indispensable for successful transitions.
Changes to information processing facilities and systems pose a significant risk to data security if not properly managed.
To address these concerns, Change Management provides specific guidance on safeguarding sensitive information during change activities. By following these guidelines, organisations can ensure the security and integrity of their data throughout the change management process.
What is ISO 27002:2022 Control 8.32?
ISO 27002:2022 Control 8.32 provides implementation guidance on how to implement ISO 27001 Annex A 8.32.
Definition of ISO 27002 Control 8.32
ISO 27002 defines ISO 27002 Control 8.32 as – The confidentiality, integrity, and availability of information must be ensured through appropriate change management procedures.
Purpose of ISO 27002 Control 8.32
This is a preventive control designed to safeguard information security when executing changes. It’s purpose is that the confidentiality and integrity of all information used within the organisation must be strictly maintained.
Ownership of ISO 27002 Control 8.32
The Information Security Officer is responsible for collaborating closely with the domain experts to establish appropriate change management controls and procedures.
Compliance Guidance
When implementing Change Management the following ISO 27002:2022 Control 8.32 guidance should be considered:
All significant modifications to information systems and the introduction of new systems must adhere to a defined set of rules and procedures. These changes require formal specification, documentation, and thorough testing and quality control.
To ensure compliance with change control regulations and standards, organisations must designate management responsibilities to appropriate personnel and establish necessary procedures.
ISO 27002 Control 8.32 outlines nine essential elements of a comprehensive change management procedure:
1. Impact Assessment: Plan and evaluate the potential impact of planned changes, considering all dependencies.
2. Authorisation Controls: Implement authorisation controls for all changes.
3. Communication: Inform relevant internal and external stakeholders about planned changes.
4. Testing and Acceptance: Establish and execute rigorous testing and acceptance testing processes for changes, aligned with Control 8.29.
5. Implementation Plan: Define the implementation strategy, including practical deployment procedures.
6. Emergency and Contingency Planning: Develop and maintain emergency and contingency plans, including a fallback procedure.
7. Record Keeping: Maintain detailed records of all changes and related activities, including those outlined in points 1-6.
8. Documentation Review: Review and update operating documentation (as per Control 5.37) and user procedures to reflect the changes.
9. ICT Continuity Plan Review: Review and revise ICT continuity plans, recovery, and response procedures to accommodate the changes.
Furthermore, organisations should strive for maximum integration of change control procedures for both software and ICT infrastructure.
Supplementary Guidance on ISO 27002 Control 8.32
Modifications to production environments, such as operating system or database updates, can jeopardise the integrity and availability of applications, especially during the transition of software from development to production.
A critical risk is that unintended consequences may arise from software changes within the production environment
To mitigate these risks, organisations should conduct rigorous testing of ICT components in a dedicated environment isolated from both development and production. This isolation enhances control over new software and provides an additional layer of security for real-world data used during testing.
This extra protection can be achieved through the implementation of patches and service packs.
Changes and Differences to ISO 27002:2013
While the 2022 version of ISO 27002 retains many similarities to its predecessor, a key distinction emerges:
The 2013 version of ISO 27002 provided more specific guidance on change control procedures compared to the 2022 edition.
Key differences include:
More Detailed Change Procedure Requirements
The 2013 version included specific requirements not found in the 2022 version, such as:
- Reviewing security-critical code to address vulnerabilities.
- Maintaining version control for all software updates.
- Identifying and documenting all components requiring updates.
Focus on Operating System Changes
ISO 27002 Control 14.2.3 in the 2013 version addressed minimising disruptions from operating system changes, a requirement absent in the 2022 edition.
Focus on Software Package Changes
ISO 27002 Control 14.2.4 in the 2013 version specifically addressed changes to software packages, which is not explicitly included in the 2022 edition.
ISO 27002 Control 8.32 FAQ
ISO 27001 Annex A 8.32 is the information security control requirement the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.32 is the implementation guidance for the control.
Yes, Change Management is a required information security control for ISO 27001 certification if you perform or execute change.
ISO 27002 Control 8.32 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Information Protection | Protection |
Integrity | Application Security | |||
Availability | System and Network Security |