Change Management - ISO 27001 Annex A Control

ISO 27001 Annex A 8.32

Most outages and many breaches start with a change - control them or the changes will control you.

ISO 27001 Annex A 8.32 - Change Management

Change is the source of most operational incidents - a recent deployment that broke something, a configuration update with an unintended side effect, a patch that conflicted with another component. The control asks for changes to be made through a defined process so that the risk is assessed before the change happens and the trail is recorded for after-action review.

Practical change management balances speed and control. Heavy-handed change processes drive workarounds and slow legitimate work. Lightweight processes miss high-risk changes that needed more review. Most organisations operate with several change categories - standard low-risk changes that follow a predefined path, normal changes with assessment and approval, and emergency changes with retrospective review.

The control links to several others: configuration management (A.8.9) for the baselines that changes alter, secure development (A.8.25) for code changes, and incident management (A.5.24-A.5.27) for the link between failed changes and resulting incidents. Change records form part of the audit trail across all of these.

The audit looks at change records to confirm the process actually operated. Risk assessed before approval. Approval by an appropriate authority. Implementation as planned. Post-change verification. Each step should be visible in the records. Where the records are incomplete or formulaic - everything ticked, nothing actually written - the change process is documenting rather than controlling.

Emergency changes are where the change process most often breaks down. The fix is needed now, the process feels like a barrier, the change happens without the normal controls. A defined emergency procedure - faster but still recorded, with retrospective review - keeps the trail intact while allowing the operational response that emergencies need.

Practical Compliance Guidance

Change management is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider operational arrangements. The change record system provides the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the operational arrangements for change management including the categorisation, approval and review requirements. Use as the source for change governance.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What changes need to go through the process?

Changes to production systems, networks, security controls, and key configurations. Routine changes that fall within pre-approved templates may follow a streamlined path. The categorisation should be set in the policy and applied consistently.

How are emergency changes handled?

Through a defined emergency procedure - faster review, smaller approver group, but still recorded. The change should be retrospectively reviewed at the next normal change cycle to confirm the change was appropriate and to update standards if needed. Patterns of emergency changes may indicate gaps in the planning of normal change.

What records should be kept?

Description of the change, risk assessment, approval, implementation steps, verification of success, and any rollback action if needed. The records should be sufficient to understand what was done and why if the change is later questioned.

Further Resources