Change management procedures for information systems
Ensure all system changes follow a formal, approved process to prevent issues.
Plain language
Change management is about having a plan for updating or modifying your computer systems in a way that keeps everything working smoothly. Without it, you might accidentally disrupt your business or expose sensitive information to risks. Think of it like making sure you have a proper plan in place before rearranging an office - it prevents chaos.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Changes to information processing facilities and information systems shall be subject to change management procedures.
Why it matters
Uncontrolled system changes can cause outages, introduce vulnerabilities, and lead to unplanned downtime, negatively impacting business operations.
Operational notes
Review change logs weekly; ensure IT and security assess risk and obtain approvals before implementing changes.
Implementation tips
- The IT manager should set up a formal change management process. They can do this by creating a checklist that includes planning, assessing the impact, obtaining authorisation, testing, and communicating changes. Following the ISO 27002:2022 guidelines ensures all potential risks are managed.
- The executive team needs to assign responsibility for approving changes. This means choosing someone who understands both the business and technical sides to review every planned change and give the green light if it meets all security and operational requirements.
- IT staff should document each step in the change management process. By keeping detailed records of what changes were made, who approved them, and any testing results, you create a clear trail. This documentation helps ensure consistency and can protect against future issues if something goes wrong.
- Operations personnel need to communicate upcoming changes to everyone in the organisation. They should send out emails or hold meetings to explain upcoming changes, how they could affect work, and what the timeline is.
- The IT department should integrate all change management procedures with existing IT policies. This involves ensuring change management aligns with broader IT and cybersecurity frameworks like the ASD Essential Eight and ensures business continuity plans are updated as per ISO standards.
Audit / evidence tips
-
AskRequest the change log or change management documentation.
GoodA complete and organised log with no missing sections, proving each step was followed and recorded.
-
AskRequest records of change management meetings or communications.
GoodDetailed records showing that each change was clearly communicated and that all stakeholders were informed ahead of implementation.
-
AskAsk for test results documentation for implemented changes.
GoodComprehensive test result documents showing that potential impacts were evaluated and confirmed successful before deployment.
-
AskRequest the authorisation records for recent changes.
GoodAll changes have a designated approver's sign-off, showing the decision-making process was appropriately followed.
-
AskDemand evidence of updated operational documentation.
GoodUpdated guides or manuals that align with the most recent system changes, demonstrating that users have the latest instructions.
Cross-framework mappings
How Annex A 8.32 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-0597 | ISM-0597 requires that when an organisation plans, designs, implements or introduces additional connectivity to cross domain systems (CDS... | |
| ISM-0912 | Annex A 8.32 requires that changes to information systems are governed by change management procedures to control risk and prevent uninte... | |
| ISM-1419 | ISM-1419 requires that software development and modification occur only in development environments, preventing ad-hoc production changes | |
| ISM-1824 | ISM-1824 addresses controlling changes by users to PDF application security settings, effectively treating such changes as disallowed con... | |
| ISM-1944 | ISM-1944 mandates a specific secure configuration outcome for AD CS CAs: the EDITF_ATTRIBUTESUBJECTALTNAME2 flag must be removed to reduc... | |
| ISM-1948 | ISM-1948 requires CA Certificate Manager approval before using AD CS certificate templates that permit requester-supplied Subject Alterna... | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0300 | ISM-0300 requires an explicit approval mechanism (ASD) and prescribed processes/timeframes before implementing patches or mitigations on ... | |
| ISM-1079 | ISM-1079 requires ASD approval before performing maintenance or repairs on high assurance IT equipment | |
| ISM-1211 | Annex A 8.32 requires organisations to subject system changes to defined change management procedures | |
| ISM-1564 | ISM-1564 requires the system owner to produce a POA&M after a security assessment to address identified weaknesses through defined action... | |
| ISM-1598 | ISM-1598 requires verifying, after maintenance, that IT equipment retains its approved configuration and has not been changed without aut... | |
| handshake Supports (13) expand_less | ||
| ISM-0289 | ISM-0289 requires evaluated products to be installed, configured, administered and operated in their evaluated configuration and in accor... | |
| ISM-0518 | ISM-0518 requires network documentation to be developed and maintained so the organisation can understand and manage the network | |
| ISM-1143 | Annex A 8.32 establishes the need for change management for system changes | |
| ISM-1297 | ISM-1297 requires organisations to change or disable default accounts on network devices, which is a common configuration change that mus... | |
| ISM-1430 | ISM-1430's requirement for stateful DHCPv6 and centralized logging ties into Annex A 8.32 by ensuring that such configurations and logs a... | |
| ISM-1606 | ISM-1606 requires timely application of patches, updates or vendor mitigations to isolation mechanisms and their underlying host operatin... | |
| ISM-1610 | ISM-1610 mandates the documentation and testing of emergency system access procedures during initial implementation and after infrastruct... | |
| ISM-1615 | ISM-1615 requires a specific post-change verification: testing break glass accounts after their credentials are changed | |
| ISM-1634 | ISM-1634 requires system owners, with the authorising officer, to choose and tailor a set of controls appropriate to the system’s securit... | |
| ISM-1732 | ISM-1732 requires that intrusion remediation is coordinated and carried out during the same planned outage where possible to minimise dis... | |
| ISM-1816 | ISM-1816 is concerned with preventing unauthorised changes to the authoritative software source to maintain integrity | |
| ISM-2025 | ISM-2025 requires using an issue tracking tool to link development tasks to security decisions and change/feature requests | |
| ISM-2073 | ISM-2073 requires an organisation to implement and maintain a PQC transition plan, which typically involves coordinated changes to algori... | |
| link Related (1) expand_less | ||
| ISM-0042 | ISM-0042 requires organisations to establish and maintain comprehensive system administration processes and procedures, including control... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.