The basics
ISO 27001 sub-clause 6.3 is called “Planning of changes” — it is rather short, and requires any change in the ISMS to be done in a planned manner. This approach helps organizations maintain the integrity and effectiveness of their ISMS while continuously improving their information security practices.
By planning changes systematically, organizations can ensure that:
- risks are assessed
- security requirements are identified
- roles and responsibilities are defined
- the necessary steps are taken to implement changes effectively.
Documentation
ISO 27001 clause 6.3 Planning of changes does not require writing any documents. This control can be implemented by using the Risk Treatment Plan which is mandatory according to clause 6.1.
The following document is not mandatory according to clause 6.3, and companies can decide whether to write it:
Implementation
To comply with clause 6.3 Planning of changes means that changes cannot be done ad hoc, without any thought on what would be the consequences of such change, or without defining who is in charge of what.
Therefore, the steps for implementing this clause could be:
- Define what kind of (bigger) changes need to be controlled, and what kind of (smaller) changes do not need to be controlled.
- Define who is authorized to approve bigger changes.
- For the person who is authorizing bigger changes, define which decisions he or she needs to make: person in charge of implementing change, reports that need to be made, review of performed change, etc.
Audit evidence
evidence regarding ISO 27001 clause 6.3 Planning of changes:
- If all significant changes are planned – e.g., the introduction of new technology is planned in such a way that risk assessment is performed, security requirements are identified, roles and responsibilities for the implementation are defined, etc.
- If all significant changes are reflected in the Risk Treatment Plan for implementing or changing controls.
- If approval of any major changes for the ISMS are done through the Management Review.
