We want to make some changes to our policy before our first surveillance audit. We have the ISO 27001 certificate now. Can we simply change the policy on our own without informing anyone? Are we allowed to change ISMS policies on our own?
You can change ISMS policies anytime you identify the need to, but you need to evaluate who will be impacted by the changes, and what the impacts will be, to decide who needs to be informed, and what is the information to be communicated. For example:
a change in the Information Security Policy needs to be communicated to all personnel
a change in a Backup Policy, regarding the change in technology, may need to be communicated only to IT personnel
a change in a Supplier Management Policy may need to be communicated to the organization's suppliers