Change management and Change classification
How do we define what changes need to be regulated by the Change Management and what changes do not?
Can you maybe share a list with examples or criteria you see used?
Assign topic to the user
I’m assuming that by change management, you are referring to control A.8.32 Change Management.
Considering that, any change involving information, processes, or facilities stated in the ISMS scope needs to be regulated by Change Management.
For example, if R&D information is included in the ISMS scope, then any change that may impact this information (e.g., a change in an information system that processes R&D data) needs to be controlled by Change Management.
This article will provide you with further explanation about change management (although the article is about ISO 27001:2013 control for change management, the concepts are the same for the ISO 27001:2022 control).
Comment as guest or Sign in
Oct 05, 2023