System Admin Activities Follow Change Management Plan
Admins follow a defined plan for system changes to ensure proper management.
Plain language
Think of system administration like running a well-organised kitchen. Just as chefs follow a recipe to avoid serving up something unexpected, system administrators follow a set plan when they make changes to computer systems. This prevents accidents, such as unexpected system outages or security issues, which could lead to data loss or damage to your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
System administrators perform system administration activities in accordance with the system's change and configuration management plan.
Why it matters
If admins bypass the change/configuration management plan, unauthorised changes can cause outages, weaken controls, and enable breaches.
Operational notes
Perform admin work only via the change/configuration management plan: raise a change record, assess risk, obtain approvals, implement, and record outcomes.
Implementation tips
- System administrators should document a change management plan. They can start by listing all the usual tasks and identifying which ones involve changes to systems. Break tasks into small steps and ensure each change is thought through and approved before it starts.
- The IT team should organise regular training. Make sure every person who looks after your systems understands the change management plan. Conduct workshops where team members can discuss the steps and ask questions. This ensures that everyone knows how to follow the plan correctly.
- Managers should set up a review process. Have a monthly meeting with system administrators to go over recent changes and issues. Discuss what went well, what didn’t, and update the change management plan as needed. This keeps the process current and clear for everyone involved.
- System owners should ensure approval protocols are followed. Before any change is made, make sure that the person responsible gets the necessary approvals. This could involve filling out a form or sending an email for sign-off, to confirm that changes align with the overall business strategy.
- The IT team should implement a logging system. Use this to track every change made to the system, who made it, and why. Regularly reviewing these logs helps spot any unauthorised changes and ensures adherence to the change management plan.
Audit / evidence tips
-
Askthe change management plan document
Goodincludes clear steps and responsible persons for each part of the process
-
Askto see recent change request records
-
Askrecords of change management training sessions
-
Askto see minutes from recent change review meetings. Examine the meeting notes for discussions on recent changes, identified issues, and updates to the change plan
-
Asksystem change logs from the past month. Check for entries showing changes, who made them, and reasons for the changes. A thorough log demonstrates transparency and adherence to the change management process
Cross-framework mappings
How ISM-1211 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1211 requires system administrators to carry out system administration activities in line with an established change and configuratio... | |
| Annex A 8.32 | ISM-1211 requires system administrators to perform administrative activities in accordance with the system’s change and configuration man... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires organisations to evaluate exposure to technical vulnerabilities and apply appropriate measures, which often includes... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.