Establish and Manage System Configuration Changes
Ensure systems have a plan for managing changes, including approvals and notifications for both routine and urgent updates.
Plain language
Managing how changes are made to your computer systems might seem straightforward, but without a clear plan, you risk things going wrong, like losing important data or making systems unusable. By having a set process for requesting, approving, and notifying about changes, you can significantly reduce the chance of causing disruptions to your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Systems have a change and configuration management plan that includes: - the establishment and maintenance of authorised baseline configurations for systems - what constitutes routine and urgent changes to the configuration of systems - how changes to the configuration of systems will be requested, tracked and documented - who needs to be consulted prior to routine and urgent changes to the configuration of systems - who needs to approve routine and urgent changes to the configuration of systems - who needs to be notified of routine and urgent changes to the configuration of systems - what additional change management and configuration management processes and procedures need to be followed before, during and after routine and urgent changes to the configuration of systems.
Why it matters
Without a robust change and configuration management plan, unapproved alterations can introduce vulnerabilities and disrupt critical operations.
Operational notes
Log, track and document all routine and urgent change requests; obtain approvals/notifications and audit regularly to prevent drift from authorised baselines.
Implementation tips
- System owners should establish a clear list of what counts as a routine or urgent change to their systems. They can do this by reviewing past system changes and categorising them based on their impact and how quickly they needed to be implemented.
- The IT team should create a formal change request process to request and document all proposed changes. This might involve filling out a simple form outlining the nature and urgency of the change, and submitting it for review.
- Managers need to determine who has the authority to approve changes and ensure this person is informed about their role. They can do this by assigning change approval responsibilities as part of each system owner's job description.
- Communication leads should set up a notification process for informing all relevant personnel of upcoming changes. This could include emails or meetings to discuss the impact and timing of the changes with affected staff.
- System owners and IT teams should regularly review and update the change management plan. This involves scheduling periodic meetings to discuss any process improvements and amendments based on feedback and incidents.
Audit / evidence tips
-
Askthe written change management plan documentation: Ensure it includes definitions for routine and urgent changes
Goodshows there are clear categories with specific examples
-
Goodhas detailed records for every change made
-
Askthe list of personnel authorised to approve changes: Verify it matches the people's job descriptions
Goodhas a decision-maker clearly listed with authority for signing off changes
-
Goodshows organized and timely notification of each change
-
Askpast change review meeting notes: Assess if regular reviews of the process are occurring
Goodincludes records showing that the plan was discussed, and necessary updates were made
Cross-framework mappings
How ISM-0912 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| Annex A 5.37 | Annex A 5.37 requires documented and accessible operating procedures for information processing facilities | |
| Annex A 8.8 | Annex A 8.8 requires organisations to manage security configuration in response to technical vulnerabilities by assessing exposure and ap... | |
| Annex A 8.9 | Annex A 8.9 requires configurations of hardware, software, services and networks to be established, documented, implemented, monitored an... | |
| Annex A 8.19 | Annex A 8.19 requires controlled, secure processes for installing software on operational systems | |
| Annex A 8.32 | ISM-0912 requires organisations to implement a change and configuration management plan that defines and governs routine and urgent confi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.