Change management
May I ask if change management is required by ISO 27001? If yes, could you please share your resources with me?
Assign topic to the user
First is important to note that change management exists in ISO 27001 as one control from its Annex A (control A.12.1.2 Change management), but it can be excluded under certain conditions.
Provided that your organization does not have relevant risks or legal requirements (e.g., laws, regulations, or contracts) that require the implementation of change management, it is possible to be certified against ISO 27001 without implementing this control.
To see how a change management document compliant with ISO 27001 looks like, please see the demo on this link: https://advisera.com/27001academy/documentation/change-management-policy/
These articles will provide you a further explanation about the definition of controls and change management:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
Comment as guest or Sign in
Sep 17, 2020