Framework FAQs
      Back to home
      2. Framework FAQs

      ISO 27001: 2022 A.8.32 Change management

      This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.32 Change management

      ISO 27001: 2022 Control Description

      Changes to information processing facilities and information systems shall be subject to change management procedures.

      Purpose

      To ensure information security is maintained when making changes to information processing facilities and systems.

      Guidance on implementation

      When introducing new systems or making significant changes to existing ones, it is essential to follow established procedures. This includes thorough documentation, detailed specifications, testing, quality control, and managed implementation. Clear management responsibilities and procedures should be in place to ensure all changes are effectively controlled.

      Change Control Procedures

      Change control procedures must be documented and strictly followed to ensure the confidentiality, integrity, and availability of information throughout the entire system development life cycle, from the initial design stages through to ongoing maintenance.

      Where possible, integrate change control procedures for ICT infrastructure and software. These procedures should include:

      1. Planning and Impact Assessment
        Plan and assess the potential impact of changes, taking into account all dependencies.
      2. Authorisation of Changes
        Ensure that all changes are authorised before implementation.
      3. Communication
        Communicate changes to all relevant parties to keep everyone informed.
      4. Testing and Acceptance
        Test the changes thoroughly and ensure that the results are accepted before proceeding.
      5. Implementation and Deployment
        Implement changes according to a well-structured deployment plan.
      6. Emergency and Contingency Planning
        Include procedures for emergencies and contingencies, including fall-back options if something goes wrong.
      7. Record-Keeping
        Maintain detailed records of all changes, including the planning, authorisation, testing, and implementation steps.
      8. Updating Documentation
        Ensure that all operational documentation and user procedures are updated as needed.
      9. Reviewing Continuity Plans
        Update ICT continuity plans and recovery procedures to reflect any changes.

      Additional Information

      Poor control of changes to information processing facilities and systems is a common cause of system or security failures. Changes, particularly when moving software from development to production environments, can affect the integrity and availability of applications.

      It is good practice to test ICT components in an environment separate from both production and development. This helps maintain control over new software and protects operational information used in testing. This approach should apply to patches, service packs, and other updates.

      Remember, the production environment includes operating systems, databases, and middleware platforms. These controls should be applied to changes in both applications and infrastructure.