Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

Expert Advice Community


Operational change

Guest user Created:   Jun 09, 2017 Last commented:   Jun 09, 2017

Operational change

We are already certified by ISO 27001 and we are going to be Certified with ISO 22301 (according yours tools). On this period we are under implementation of a system upgrade on our servers to Windows Server 2016 with new machines (firewalls, switches, servers, backup tape drives etc) on our premises (our internal computer room).
0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Jun 09, 2017

1 - Please help me with the documents that I have to complete ( change control, inventory, backup policy,… what else?)

Answer: For a change, common documents and records you should consider to develop are:
- change plan: so you can have a general overview of all actions required for the change
- risk assessment and treatment plan: so you can map all unacceptable risks and the measures you need to implement to minimize risks during the change
- backup plan: so you can ensure no information is lost during the change process
- Validation plan: so you can verify if all changes are achieved
- roll back plan: so you can return to previous state if the change does not work
- equipment and system configuration parameters and installation instructions: so you can know exactly what to do to install and configure assets properly
- inventory of assets: so you can keep control of all assets in your environment

For other documents, you should consider the results of your risk assessment.

Considering business continuity, you also must consider performing a business impact analysis, so you can identify tolerable availabilities that can help you plan you change activities.

2 - I do have to run Risk Assessment Treatment?

Answer: Yes, you have to perform a risk assessment and treatment to help you identify the main risks related to this change and plan controls to reduce risks to acceptable levels.

3 - I do have to call the inspector of ISO27701 to check me? If yes, what is the perfect time to do it? After the completion of this project?

Answer: No. To perform the change there is no need to call an ISO 27001 auditor, but you should at least communicate your certification body about that, because depending on size of this change regarding your ISMS scope some modifications on your next audit of your certification cycle may have to be done.

4 - Finally, what else I do have to do?

Answer: after the change you have to perform a new risk assessment to update you risks scenario and ensure this change is considered in the next management review so its results can be evaluated.

This article will provide you further explanation about Operational change:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2

These materials will also help you regarding Operational change:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
- Book ISO 27001 Risk Management in Plain English

0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 09, 2017

Jun 09, 2017