We are already certified by ISO 27001 and we are going to be Certified with ISO 22301 (according yours tools). On this period we are under implementation of a system upgrade on our servers to Windows Server 2016 with new machines (firewalls, switches, servers, backup tape drives etc) on our premises (our internal computer room).
1 - Please help me with the documents that I have to complete ( change control, inventory, backup policy,… what else?)
Answer: For a change, common documents and records you should consider to develop are:
- change plan: so you can have a general overview of all actions required for the change
- risk assessment and treatment plan: so you can map all unacceptable risks and the measures you need to implement to minimize risks during the change
- backup plan: so you can ensure no information is lost during the change process
- Validation plan: so you can verify if all changes are achieved
- roll back plan: so you can return to previous state if the change does not work
- equipment and system configuration parameters and installation instructions: so you can know exactly what to do to install and configure assets properly
- inventory of assets: so you can keep control of all assets in your environment
For other documents, you should consider the results of your risk assessment.
Considering business continuity, you also must consider performing a business impact analysis, so you can identify tolerable availabilities that can help you plan you change activities.
2 - I do have to run Risk Assessment Treatment?
Answer: Yes, you have to perform a risk assessment and treatment to help you identify the main risks related to this change and plan controls to reduce risks to acceptable levels.
3 - I do have to call the inspector of ISO27701 to check me? If yes, what is the perfect time to do it? After the completion of this project?
Answer: No. To perform the change there is no need to call an ISO 27001 auditor, but you should at least communicate your certification body about that, because depending on size of this change regarding your ISMS scope some modifications on your next audit of your certification cycle may have to be done.
4 - Finally, what else I do have to do?
Answer: after the change you have to perform a new risk assessment to update you risks scenario and ensure this change is considered in the next management review so its results can be evaluated.