This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.32 Change management
ISO 27001: 2022 Control Description
Changes to information processing facilities and information systems shall be subject to change management procedures.
Purpose
To ensure information security is maintained when making changes to information processing facilities and systems.
Guidance on implementation
When introducing new systems or making significant changes to existing ones, it is essential to follow established procedures. This includes thorough documentation, detailed specifications, testing, quality control, and managed implementation. Clear management responsibilities and procedures should be in place to ensure all changes are effectively controlled.
Change Control Procedures
Change control procedures must be documented and strictly followed to ensure the confidentiality, integrity, and availability of information throughout the entire system development life cycle, from the initial design stages through to ongoing maintenance.
Where possible, integrate change control procedures for ICT infrastructure and software. These procedures should include:
- Planning and Impact Assessment
Plan and assess the potential impact of changes, taking into account all dependencies. - Authorisation of Changes
Ensure that all changes are authorised before implementation. - Communication
Communicate changes to all relevant parties to keep everyone informed. - Testing and Acceptance
Test the changes thoroughly and ensure that the results are accepted before proceeding. - Implementation and Deployment
Implement changes according to a well-structured deployment plan. - Emergency and Contingency Planning
Include procedures for emergencies and contingencies, including fall-back options if something goes wrong. - Record-Keeping
Maintain detailed records of all changes, including the planning, authorisation, testing, and implementation steps. - Updating Documentation
Ensure that all operational documentation and user procedures are updated as needed. - Reviewing Continuity Plans
Update ICT continuity plans and recovery procedures to reflect any changes.
Additional Information
Poor control of changes to information processing facilities and systems is a common cause of system or security failures. Changes, particularly when moving software from development to production environments, can affect the integrity and availability of applications.
It is good practice to test ICT components in an environment separate from both production and development. This helps maintain control over new software and protects operational information used in testing. This approach should apply to patches, service packs, and other updates.
Remember, the production environment includes operating systems, databases, and middleware platforms. These controls should be applied to changes in both applications and infrastructure.