When to use this
Use this procedure to define how changes to systems, infrastructure, applications, code, networks, cloud resources, and operational environments are controlled.
Related controls
- A.8.32 Change Management
- A.8.19 Installation of Software on Operational Systems
- A.8.9 Configuration Management
Procedure outline
- Change request is raised.
- Business, technical, security, privacy, and operational impact are assessed.
- Testing, rollback, communication, and implementation plans are prepared.
- Authorized roles approve or reject the change.
- Change is implemented in the approved window.
- Implementation is monitored.
- Post-implementation review is completed.
- Records and documentation are updated.
Minimum requirements
- Change scope is defined.
- Security impact assessment is mandatory.
- Approval level is risk-based.
- Testing is evidenced.
- Rollback/failback is defined.
- Emergency change path is controlled.
- Change history is retained.
- Template
- Iso27001
- Change management
Note Metadata
Aliases: Change Control Procedure
Source: 90 Templates/Change Management Procedure.md
Related Notes
- A.8.32 Audit Evidence Pack
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- Templates MOC