What the auditor wants to verify
Audit objective
Verify that changes to information processing facilities and information systems are assessed, approved, tested, implemented, recorded, and recoverable.
Evidence to request
| Evidence | Purpose |
|---|---|
| Change management procedure | Shows process and responsibility |
| Sample change requests | Shows actual use |
| Security impact assessments | Shows security was considered |
| Approval records | Shows authorization |
| Test evidence | Shows verification before release |
| Rollback/failback plans | Shows recovery planning |
| Implementation logs | Shows what changed and when |
| Release records | Shows grouped changes are traceable |
| Emergency change records | Shows urgent changes are still controlled |
Strong evidence
- Security impact is assessed before approval.
- Testing and rollback are proportionate to risk.
- Implementation logs match approved changes.
- Release records identify included changes.
- Emergency changes have retrospective review.
- Documentation/configuration records are updated.
Weak evidence
- Approval without impact assessment.
- Testing described but not evidenced.
- Rollback plan is generic or unrealistic.
- Emergency change process is informal.
- Release records hide individual changes.
Sample interview questions
- What changes are in scope for change management?
- How is security impact assessed?
- Who approves production changes?
- What testing is required before implementation?
- What happens if a change fails?
- How are emergency changes reviewed after implementation?
Common nonconformities
- Changes proceed without security impact assessment.
- Testing or rollback evidence is missing.
- Emergency changes are not reviewed.
- Change records are incomplete.
- Release bundles do not identify individual changes.
Related notes
- Audit
- Evidence
- A8 32
- Iso27001
Note Metadata
Aliases: A.8.32 Evidence
Source: 04 Audit Evidence Packs/A.8.32 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.