ISO 27001 Annex A 8.32 Change Management is an ISO 27001 control that requires organisations to manage changes to both the information security management system (ISMS) and to the information processing facilities.
Key Takeaways
- Formal management of changes is mandatory
- Consider the help of a change management professional
- The control is called ISO 27001:2022 Annex A 8.32 Change Management
- The implementation guidance is given in ISO 27002:2022 Control A 8.32 Change Management
Table of contents
- Key Takeaways
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- Why do you need it?
- When do you need it?
- Who needs to be involved?
- Where do you need it?
- How do you write it?
- How do you implement it?
- How to implement ISO 27001 Annex A 8.32: Step-by-Step
- ISO 27001 Change Management Policy Template
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How can the ISO 27001 toolkit help?
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- How to audit ISO 27001 Annex A 8.32
- What are the guidelines for change management?
- ISO 27001 Annex A 8.32: Change Management FAQ
- ISO 27002:2022 Control 8.32
- Further Reading
- ISO 27001 Annex A 8.32 Attributes Table
What is it?
This rule is a simple idea: You must manage changes in a safe, controlled way.
It means that whenever you plan to change something important about your IT systems, networks, or business processes, you need to check first to see if that change will hurt your security.
You need a clear plan or process that makes you stop and ask:
- What are we changing?
- Why are we changing it?
- Will this change create a new security risk?
- Who needs to say “yes” before we start?
- How will we check it works afterward?
Purpose
ISO 27001 Annex A 8.32 is a preventive control to preserve information security when executing changes.
Definition
ISO 27001 defines ISO 27001 Annex A 8.32 as:
Changes to information processing facilities and information systems should be subject to change management procedures.
ISO27001:2022 Annex A 8.32 Change Management
Ownership
In close collaboration with domain experts, the Information Security Officer is responsible for establishing and maintaining effective change management controls and procedures.
Applicability to Small Businesses, Tech Startups, and AI Companies
Change Management is useful for businesses of all sizes, including small businesses, tech startups, and AI companies. Examples of using this control include:
- Small Businesses: You need to protect your customer lists and financial data. You probably don’t have a large IT team, so one wrong move can hurt you a lot.
- Tech Startups: You are changing your product or platform every day! This rule helps you release new features fast without breaking your security controls.
- AI Companies: Your algorithms and data models are your most important assets. You need a safe process when you update your AI models or change how you store training data.
Why do you need it?
You need this rule because it helps you keep your information secure and your business running smoothly. Good Change Management helps you:
- Avoid mistakes: Stop small changes from causing big security failures or system crashes.
- Stay secure: Make sure any new system or process is just as safe as the old one – or even safer!
- Be accountable: Know who approved what and when, which is great for audits.
When do you need it?
You should use your Change Management process any time you are changing something that could affect your information security.
- You are installing a new server or a piece of software.
- You are updating your firewall rules.
- You are changing who has access to important customer data.
- You are rolling out a new security policy for your staff.
- You are moving your systems to a different cloud provider.
Who needs to be involved?
This will change based on how big you are, but generally, you need:
- The Person Making the Change: You write down what you plan to do and why.
- The Owner of the System: You know if the change is a good idea for your specific system.
- The Security Manager: You check the change for any new risks.
- The Approver: A senior person (like a CTO or CEO) who gives the final go.
Where do you need it?
It applies to all parts of your Information Security Management System (ISMS).
Think of it this way: Change Management is the safety belt you wear whenever you change the “driving instructions” (your ISMS). It applies to your IT systems, your policies, your physical office security (like installing a new lock system), and how your staff works.
How do you write it?
Keep it simple! You need to document a clear path for every change. Your document should cover these main steps:
- Request: You fill out a form (a Change Request) with details.
- Review: You check the plan for risks and confirm it won’t break anything.
- Approve: You get the necessary manager or security person to sign off.
- Implement: You make the change.
- Test: You confirm the change worked and the system is safe.
- Close: You officially record that the change is done and documented.
How do you implement it?
How do you implement it?
Change management can be a profession in it’s own right and this control is no substitute for that. What we are going to do is manage our changes to the information processing facilities for in-scope products and services and we are going to manage changes to the information security management system.
There are nine essential elements of a comprehensive Change Management procedure:
- Impact Assessment: Thoroughly assess and plan for the potential impact of all planned changes, considering all dependencies.
- Authorisation Controls: Implement robust authorisation controls for all proposed changes.
- Stakeholder Communication: Effectively communicate planned changes to all relevant internal and external stakeholders.
- Rigorous Testing: Establish and execute rigorous testing and acceptance testing processes for all changes.
- Implementation Strategy: Define a clear and detailed implementation strategy, including practical deployment procedures.
- Emergency and Contingency Planning: Develop and maintain comprehensive emergency and contingency plans, including a fallback procedure.
- Comprehensive Record Keeping: Maintain detailed records of all changes and related activities.
- Documentation Updates: Review and update all relevant operating documentation and user procedures to reflect the changes.
- ICT Continuity Plan Review: Review and revise all ICT continuity plans, recovery, and response procedures to accommodate the changes.
How to implement ISO 27001 Annex A 8.32: Step-by-Step
In this step by step implementation checklist to ISO 27001 Change Management I show you, based on real world experience and best practice, the best way to implement Annex A 8.32.
1. Define Change Management Process
Challenge
Lack of a clear and documented process, leading to inconsistencies and confusion.
Solution
Develop a comprehensive change management process with clear roles and responsibilities, documented procedures, and standardised forms.
2. Identify and Assess Changes
Challenge
Difficulty in identifying all potential changes impacting the ISMS.
Solution
Implement a proactive change identification process, such as regular risk assessments, internal audits, and management reviews.
3. Conduct Impact Assessments
Challenge
Inaccurate or incomplete impact assessments, leading to inadequate risk mitigation measures.
Solution
Utilise a standardised risk assessment methodology and involve relevant stakeholders in the impact assessment process.
4. Obtain Authorisations
Challenge
Delays and bottlenecks in obtaining necessary approvals for changes.
Solution
Establish clear approval workflows, delegate appropriate authority levels, and utilise electronic approval systems to streamline the process.
5. Implement and Test Changes
Challenge
Inadequate testing and validation of changes, leading to unforeseen issues and potential security breaches.
Solution
Conduct thorough testing of all changes, including unit testing, integration testing, and user acceptance testing.
6. Communicate Changes
Challenge
Poor communication of changes to affected stakeholders, leading to confusion, resistance, and operational disruptions.
Solution
Develop and implement a robust communication plan, including regular updates, training sessions, and clear documentation.
7. Monitor and Review Changes
Challenge
Lack of ongoing monitoring and review of implemented changes, leading to potential deviations and performance degradation.
Solution
Conduct regular post-implementation reviews to assess the effectiveness of changes and identify any areas for improvement.
8. Document Changes
Challenge
Inadequate documentation of changes, leading to difficulties in tracking, auditing, and maintaining the ISMS.
Solution
Maintain a centralised change register, document all changes thoroughly, and ensure that all relevant documentation is updated accordingly.
9. Integrate Change Management with Other Processes
Challenge
Lack of integration between change management and other key processes, such as risk management, incident management, and internal audits.
Solution
Ensure that change management is seamlessly integrated with other key ISMS processes to ensure consistency and efficiency.
10. Continual Improvement
Challenge
Resistance to change and a lack of focus on continuous improvement within the change management process itself.
Solution
Regularly review and evaluate the effectiveness of the change management process, identify areas for improvement, and implement necessary adjustments.
ISO 27001 Change Management Policy Template
It can be confusing to work out what to include in a change management policy or where to start. An ISO 27001 Policy Template that is pre written and ready to go can save you a lot of heart ache so that is why we have done the heavy lifting with the ISO 27001:2022 Change Management Policy Template.
For a deeper understanding of the change management policy read ISO 27001 Change Management Policy Explained + Template
ISO 27001 Change Management Policy Example
Examples of using it for small businesses
You want to switch your company email from Google Workspace to Microsoft 365.
You first check the security settings of the new Microsoft 365 account. You make sure the access rules are the same or better than your old system. You get the CEO’s OK before you start the switch.
Examples of using it for tech startups
Your development team wants to deploy a new feature on your main application server.
Before deploying, you run a security scan on the new code. You check that the firewall rules for the server are still correct. You use your automated tools to confirm the change didn’t open a new way in for hackers.
Examples of using it for AI companies
You need to use a new, larger dataset to train your main AI model.
You check where this new data came from and if it has any sensitive personal information that shouldn’t be used. You confirm the new storage location for the model is protected with strong encryption.
How can the ISO 27001 toolkit help?
The ISO 27001 toolkit is a great shortcut. It often includes pre-written policies, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information security standards that need it
Change Management is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that relate to change management:
- ISO 27001:2022 Annex A 8.29 Security Testing in Development and Acceptance
- ISO 27001:2022 Annex A 5.25 Assessment And Decision On Information Security Events
- ISO 27001: Annex A 8.34 Protection of Information Systems During Audit Testing
How to audit ISO 27001 Annex A 8.32
To conduct an internal audit of ISO 27001 Annex A 8.32 Change Management use the following audit checklist which sets out what to audit and how to audit it.
1. Check if there is a Change Management Process
- Is there a documented ISO 27001 change management process with clear roles and responsibilities, documented procedures, and standardised forms. Walkthrough them to ensure what happens matches the documentation.
- Is there an ISO 27001 change management policy.
2. Get evidence of changes
- Have changes be identified.
- Is there evidence of regular risk assessments.
- Review internal audits for change.
- Review the management reviews for the inclusion of change.
3. Assess if there were Impact Assessments
- Assess the risk assessment methodology for change
- Review if the relevant stakeholders are involved in the impact assessment process.
4. Check if authorisations were obtained
- Walkthrough approval workflows.
- Review if delegation is at appropriate authority levels.
- Assess what approval system is used and walkthrough it to evidence authorisation.
5. Audit the implementation and test of changes
- Sample changes and conduct thorough review of testing of changes.
- Assess if it includes unit testing, integration testing, security testing and user acceptance testing.
- Gain evidence of back out and roll back planning.
6. Assess if changes were communicated
- Review the communication plan.
- Gain evidence of regular updates, training sessions, and clear documentation.
- Review meeting minutes for the inclusion of change such as change meetings, management reviews, risk reviews.
7. Audit the monitor and review of changes
- Seek evidence of post-implementation reviews.
- Do post-implementation reviews assess the effectiveness of changes and identify any areas for improvement.
- Walkthrough the success criteria applied to changes.
8. Review documented changes
- Asses documentation for changes and changes to that documentation.
9. Check how other processes integrate with Change Management
- Assess if and how change management is integrated with other key ISMS processes to ensure consistency and efficiency.
10. Assess if changes are subject to Continual Improvement
- Gain evidence of a regular review and evaluation of the effectiveness of the change management process
- Assess if it identified areas for improvement, and were necessary adjustments implemented.
What are the guidelines for change management?
You are going to make sure that you have documented change guidelines. These can be standard guidelines or industry best practice, and you likely already do this today, just make sure that this written down, communicated and available to those that need it.
Included in your change management will be consideration for the following:
- Planning of Change
- Impact Assessment of Change
- Risk Assessment of Change
- Communication of Change
- Test and Acceptance of Change
- Deployment Plans for Changes
- Back out/ rollback Procedures for failed changes
- Records of Change
- Updated Documentation as a result of change
- Updated Business Continuity and Disaster Recovery as a result of change
For change management you need documented roles, responsibilities, processes and procedures.
Change management is not overly complex although it can be a documentation overhead. Be sure to document everything and have evidence of past changes for the auditor to review.
ISO 27001 Annex A 8.32: Change Management FAQ
To establish a structured process for managing changes to information systems and processing facilities, ensuring that these changes do not introduce new security risks or disrupt operations.
Reduces Risks: Minimises the risk of introducing vulnerabilities, errors, or disruptions during system modifications.
Ensures Compliance: Helps organisations comply with regulatory requirements and maintain ISO 27001 certification.
Improves Efficiency: Streamlines the change process, reducing delays and improving overall efficiency.
Maintains Stability: Helps maintain the stability and integrity of information systems.
Change Request: A formal process for submitting and documenting change requests.
Impact Assessment: Evaluating the potential impact of a change on security, operations, and other relevant areas.
Risk Assessment: Identifying and mitigating potential risks associated with the change.
Approval Process: Obtaining necessary approvals from relevant stakeholders before implementing the change.
Testing and Validation: Thoroughly testing the change in a controlled environment before deployment.
Implementation and Deployment: Carefully implementing the change according to a pre-defined plan.
Documentation and Record Keeping: Maintaining detailed records of all changes and related activities.
Hardware and software upgrades and installations.
Network configuration changes.
Security policy updates.
System maintenance activities.
New system implementations.
Establishing clear approval workflows.
Defining roles and responsibilities for authorising changes.
Implementing electronic approval systems to track and manage approvals.
Identifying and resolving potential issues before they impact production systems.
Reducing the risk of downtime and service disruptions.
Ensuring that changes meet the required security and performance standards.
Utilising a change management database or log.
Maintaining detailed records of all change requests, approvals, tests, and implementations.
Archiving change records for future reference and auditing purposes.
Regularly reviewing and updating the change management process.
Conducting periodic audits and assessments of the change management process.
Training employees on the importance of following change management procedures.
Utilising change management tools and automation to streamline the process.
Increased security risks, including vulnerabilities and data breaches.
System instability and downtime.
Non-compliance with regulatory requirements.
Loss of customer trust and damage to reputation.
Providing documentation of the change management process.
Demonstrating adherence to the defined change management procedures.
Presenting evidence of successful change implementations.
Showing that the change management process is regularly reviewed and improved.
ISO 27002:2022 Control 8.32
ISO 27002 Control 8.32 provides implementation guidance for Change Management.
Further Reading
ISO 27001 Change Management Policy Beginner’s Guide
ISO 27001 Annex A 8.32 Attributes Table
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Information Protection | Protection |
| Integrity | Application Security | |||
| Availability | System and Network Security |
