Changes to information systems, such as replacing a network device, creating a new database instance, or upgrading software, are often necessary to improve performance, reduce costs and increase efficiencies.
If not carried out correctly, changes to information processing facilities and systems may compromise the data stored or processed in them.
ISO 27001:2022 Annex A 8.32 examines how organisations can set up and execute change management procedures to monitor, examine and manage changes to the information processing facilities and systems.
ISO 27001:2022 Annex A Control 8.32 allows organisations to safeguard information assets whilst making changes to information processing systems and facilities. It does this by setting up, carrying out and managing change management rules and procedures.
Chief Information Security Officers, with the expertise of domain experts, should be responsible for designing and enforcing change control procedures that apply to all stages of the information system life cycle, in accordance with ISO 27001:2022 Annex A Control 8.32.
All modifications to information systems, as well as the implementation of novel systems, should abide by an established set of regulations and procedures. The details of these changes must be explicitly stated and documented. Additionally, they must pass through assessment and quality assurance processes.
Organisations should allocate management duties to the most suitable management and stipulate the necessary procedures to guarantee all changes are in line with change control regulations and standards.
ISO 27001:2022 Annex A Control 8.32 enumerates nine components to be featured in the change management procedure:
Organisations should strive to incorporate change control procedures for software and ICT infrastructure as much as possible.
Changes in the production environment, e.g. operating systems and databases, may endanger application integrity and availability, specifically the transfer of software from development to production.
Organisations should be wary of the potential outcomes of altering software in their production environment. Unforeseen repercussions could arise, so caution should be exercised.
Organisations should run tests on ICT components in a safe, separate environment, away from development and production.
Organisations can gain more control over new software and safeguard the real-world data used for testing with patches and service packs, providing an extra layer of protection.
ISO 27001:2022 Annex A 8.32 replaces the four sections of ISO 27001:2013 Annex A 12.1.2, 14.2.2, 14.2.3, and 14.2.4.
In ISO 27001:2013, the change control procedures were more specified than they will be in 2022.
Three key distinctions can be identified between the two versions.
The ISO 27001:2022 and ISO 27001:2013 versions both state, in a non-exhaustive manner, what should be included in a change procedure.
The 2013 edition featured components not mentioned in the 2022 variant:
Annex A 14.2.3 of ISO 27001:2013 outlines ways in which organisations can reduce the negative impacts and disturbances on business operations that can come from changes to operating systems.
In comparison, ISO 27001:2022 does not feature any requirements for modifications.
Annex A 14.2.4, addressed to ‘Changes to Software Packages’ in ISO 27001:2013, this is not included in the ISO 27001:2022 version.
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
Technological Controls | Annex A 8.9 | NEW | Configuration Management |
Technological Controls | Annex A 8.10 | NEW | Information Deletion |
Technological Controls | Annex A 8.11 | NEW | Data Masking |
Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
Technological Controls | Annex A 8.23 | NEW | Web filtering |
Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
Technological Controls | Annex A 8.28 | NEW | Secure Coding |
Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Our cloud platform offers a strong structure of information security measures, enabling you to tick off your ISMS process as you progress, guaranteeing it meets the ISO 27000k criteria.
ISMS.online can help you attain certification efficiently and with minimal resources. When employed correctly, it can be a great asset in achieving this goal.
Contact us now to schedule a demonstration.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Download our free guide to fast and sustainable certification