The basics
ISO 27001 control A.8.32 Change management requires companies to ensure changes in information systems are properly controlled and authorized. This is important in order to prevent unplanned interruptions in service and compromise of information.
Documentation
ISO 27001 control A.8.32 Change management can be documented:
- for smaller companies by writing Security Procedures for IT Department
- for mid-size and larger companies by writing a Change Management Policy
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.32 Change management you might implement the following:
- Technology — the technology to enable the management of changes in most cases will be already available in the company. Smaller companies will probably be able to manage changes using office applications for planning and preparation and commonly used messaging applications for communication, whereas larger companies probably need some software that centralizes change requests, so they can be managed in a shared way.
- Organization/processes — you should set up a process for defining the responsibilities for planning, evaluating, authorizing, implementing, reviewing and communicating changes, considering all relevant parties. You can document those processes through Security Procedures for IT Department or a Change Management Policy.
- People — make employees aware of why managing the changes in the company is needed, and train management and staff on how to manage changes.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.32 Change management: if changes in information systems are properly controlled and authorized.
