Skip to content
AuditFront
A.8.32 ISO 27001

ISO 27001 A.8.32: Change management

What This Control Requires

Changes to information processing facilities and information systems shall be subject to change management procedures.

In Plain Language

Uncontrolled changes are one of the top causes of outages, security holes, and data loss. Someone pushes a config change to production without testing it, and suddenly your service is down at 2am. Change management exists to make sure changes are planned, tested, approved, and implemented in a way that does not break things. This covers every type of change: software updates, configuration tweaks, hardware modifications, network changes, security patches. It also distinguishes between standard changes (routine, pre-approved) and non-standard changes (needing individual assessment). In modern DevOps environments, change management does not mean slow bureaucracy. CI/CD pipelines handle frequent deployments, but the underlying principles - assessment, approval, testing, documentation, rollback capability - are still there, just automated and embedded in the pipeline.

How to Implement

Define a change management policy and process covering all changes to information processing systems. Categorise changes: standard (pre-approved, low-risk, repeatable), normal (require assessment and approval), and emergency (urgent fixes with expedited approval and retrospective review). For each change, capture: a description and purpose, risk assessment covering security and availability impact, testing plan and results, step-by-step implementation plan, rollback plan, affected systems and stakeholders, required approvals, and scheduled implementation window. Set up a Change Advisory Board (CAB) or equivalent approval process for non-standard changes. The CAB reviews risk, testing results, and implementation readiness. Make sure security has a seat at the table to assess implications. For automated CI/CD deployments, embed these principles as automated gates rather than manual reviews. Test changes before they touch production. Use your separated test and staging environments. Include security testing in the validation. Confirm the change does not introduce vulnerabilities or break existing security controls. Log every change. Record the description, date, who implemented it, who approved it, test results, and the outcome. This log serves auditors and is invaluable during incident investigation since many incidents trace back to a recent change. For significant changes, run a post-implementation review. Verify the change achieved its goal. Confirm no unintended side effects. Assess whether the process worked well. Update documentation to reflect the new state. For emergencies, have an expedited process that allows fast action while keeping essential controls in place. Emergency changes still get documented, tested where possible, and reviewed after the fact. If you are using the emergency path too often, that is a sign your standard process needs fixing.

Evidence Your Auditor Will Request

  • Change management policy and process documentation
  • Change request records with risk assessments and approvals
  • Change testing records including security testing results
  • Change implementation logs with dates, implementers, and outcomes
  • Post-implementation review records for significant changes

Common Mistakes

  • Changes are made directly to production without following the change management process
  • Risk assessment does not consider security implications of changes
  • Changes are not tested before production implementation
  • Rollback plans are not defined or tested
  • Emergency change process is overused, bypassing normal controls

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC8.1 Equivalent
NIS2 Art.21(2)(d) Partial overlap

Frequently Asked Questions

How does change management work in a DevOps environment?
In DevOps, change management lives inside the CI/CD pipeline rather than being a manual gate. Automated testing (unit, integration, security) replaces manual test cycles. Automated deployments with feature flags replace scheduled maintenance windows. Peer code review replaces CAB review for standard changes. The principles of assessment, testing, approval, and documentation are all still there - they are just automated and continuous rather than bureaucratic and slow.
Should security patches follow the full change management process?
Critical patches, especially for actively exploited vulnerabilities, should follow a fast-track process. Define an expedited path that keeps the essential controls - testing, documentation, rollback capability - while cutting out unnecessary delays. You are balancing two risks: deploying an untested change versus leaving a known vulnerability open. For truly critical patches, speed usually wins, but you still document and review after the fact.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment