ISO 27001 – Clause 6.3 – Change planning

Planning changes to an information security management system (ISMS) is important for several reasons. Firstly, it helps to minimize the impact on operations.

Then there’s the fact that unplanned changes can lead to breakdowns or malfunctions in the organization.

Have you ever installed an update on a Friday afternoon? Have you always had a nice evening afterwards?

That’s why good planning helps to anticipate and manage these potential disruptions, ensuring a smooth transition.

In clause 6.3, we target changes in ISMS, policies, governance, objectives, performance indicators, etc.

Change management means planning ahead in advance of a change to the ISMS.

It’s important to remember that when it comes to risk prevention, planning plays an important role. Unplanned or poorly managed change can introduce vulnerabilities into systems, increasing the risk of security incidents or unexpected downtime, which can lead to loss of productivity, and even loss of data and/or services.

To comply with this planning objective, an organization must follow the same steps as when managing operational changes.

1. Identify the need for change: this is the first step in determining which aspects of the information security management system (ISMS) require modification. This could be the result of a risk analysis, an internal audit, a security incident, an observed non-compliance, a technological, legal or regulatory evolution, or feedback. So why make a change?
2. Change planning: Once the need has been identified, the next step is to plan the change. This includes developing a detailed plan that specifies what to change, how to change it, who will be responsible for the change, and the timetable for the change. Planning must also take into account the assessment of potential impacts on information security, as well as on the organization’s operations and resources. The organization needs to consider what is required to successfully implement the change in terms of necessary resources. (Don’t forget to get the plan approved by interested parties)
3. Implementing change: After planning, the change must be implemented in accordance with the established plan. This may involve modifying policies, processes, procedures, systems, technologies or staff training.
4. Change monitoring and review: Once the change has been implemented, it needs to be monitored and reviewed to ensure that it has been carried out correctly and is achieving its intended purpose. This may involve audits, controls, safety tests or management reviews. In practical terms, who will verify that the change is actually in place? Internal or external audits are very useful at this stage.
5. Documentation: All stages of the change process, including identification of the need, planning, implementation and review, must be documented. This ensures that the organization can demonstrate its compliance with this requirement. This documentation can take the form of an “Excel”-type register, or a ticketing system for historical purposes.

Think of these items as points on your change management register. It could be more elaborate, but these steps are minimal for successful change planning.

Success criteria

In order to determine whether we have complied with clause 6.3 of ISO27001, here are a few questions an auditor might ask:

• How do you assess the potential impact on information security when planning changes?
• Can you provide an example of a recent change plan?
• Who is responsible for implementing these changes?
• How do you monitor and review changes to the ISMS?
• Where and how are change processes documented?