Are we allowed to change ISMS policies on our own
We want to make some changes to our policy before our first surveillance audit. We have the ISO 27001 certificate now. Can we simply change the policy on our own without informing anyone?
Are we allowed to change ISMS policies on our own?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You can change ISMS policies anytime you identify the need to, but you need to evaluate who will be impacted by the changes, and what the impacts will be, to decide who needs to be informed, and what is the information to be communicated. For example:
- a change in the Information Security Policy needs to be communicated to all personnel
- a change in a Backup Policy, regarding the change in technology, may need to be communicated only to IT personnel
- a change in a Supplier Management Policy may need to be communicated to the organization's suppliers
Comment as guest or Sign in
Jul 14, 2020