ISO 27001 Clause 6.3

This sub-clause requires the organisation to manage changes to the ISMS in a planned manner, considering purpose, consequences, integrity and resources.

ISO 27001 Clause 6.3 - Planning of Changes

Clause 6.3 was added to ISO 27001:2022 to bring the standard in line with other management system standards. It is a short clause - one sentence - but it sits at the centre of how the management system stays current. Without controlled change, the ISMS that was certified two years ago is not the ISMS running today.

What ISO 27001 Clause 6.3 Requires

When the organisation determines the need for changes to the information security management system, the changes must be carried out in a planned manner. The clause does not specify how that planning is documented or what the change process needs to look like. It does require evidence that changes are made deliberately rather than by accident.

The clause covers changes to the management system itself - changes to the policy, the scope, the risk assessment methodology, the controls, the procedures, the documented information. It does not deal with operational change such as deploying new servers or onboarding new suppliers. Those are covered by the operational controls in Annex A and the change management requirements in Clause 8.1.

What Triggers an ISMS Change

Common triggers for changes to the ISMS include changes to the operating environment (new regulations, new sector requirements, major new contracts), changes to the organisation (mergers, acquisitions, restructures, new sites), changes to the threat landscape (new types of attack, lessons from incidents), changes to the technology in use (new platforms, new ways of working), and findings from internal audits, management reviews and external audits.

Each of these can require updates to the policy, the risk register, the controls, the documented information or the resourcing of the management system. Clause 6.3 requires those updates to be planned rather than made on the fly.

Documenting and Approving ISMS Changes

Most organisations handle ISMS changes through one of two routes. Significant changes - to the policy, the scope, the risk methodology - go through the management review where they are discussed, decided and recorded. Smaller changes are handled through the issues and actions register where the change is identified, an owner is assigned, and the action is tracked through to completion.

A change review form can be used for significant changes that need a structured assessment of the impact. The form captures the proposed change, the rationale, the impact on risks and controls, the resources needed and the approval. The form is used selectively, not for every minor update.

The most common gap I see at this clause is changes happening without anything being recorded. The risk register gets updated, the SoA gets updated, the policy gets updated, but there is no audit trail showing why or who decided. The clause does not need a formal change board, but it does need evidence that someone is making the calls.

Use the management review for big changes and the issues register for everything else. That way you have a single source of truth for what changed, when and why. Anything more complicated tends to fall apart inside a year.

Practical Compliance Guidance

The issues and actions register is the workhorse for tracking changes to the ISMS. Significant changes are discussed and recorded at management review. A change review form is available for the larger changes that benefit from a more structured assessment.

The documents below support the planned management of changes to the information security management system.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the issues and actions register and the change review form.
ER1 Issues and Actions Register	Tracks issues, actions and changes across the management system with owners, due dates and status. Used as the central log of changes to the ISMS.
F-Q23 Change Review Form	Structured change review form for significant changes, capturing the rationale, impact assessment, resources needed and approval.
F-Q3 Management Review	Management review template where significant ISMS changes are discussed, decided and recorded.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 6.3 require a formal change control board?

No. The clause requires changes to be planned, not for them to go through any specific governance structure. The management review and an issues and actions register are sufficient for most organisations. Larger or higher-risk environments may add more formal change control.

Is Clause 6.3 about technical changes or management system changes?

Management system changes - changes to policy, scope, risk methodology, controls and documented information. Technical and operational changes are covered by Clause 8.1 operational planning and control, and the change-related controls in Annex A.

Was Clause 6.3 in the 2013 version?

No. Clause 6.3 was added in the 2022 edition. Organisations transitioning from the 2013 version need to confirm they have a planned approach to ISMS changes and that there is evidence of changes being made deliberately rather than ad hoc.

UK Legislation

No UK legislation directly applies to the planning of changes to the management system itself.

Further Resources