ISO 27001:2022 Clause 6.3 Planning of changes

ISO 27001:2022 8 Minutes

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Determining the need for changes to the Information Security Management System (ISMS) is a critical aspect of ensuring that the organization can adapt to evolving risks, technologies, and business requirements. Here’s how the organization can determine the need for changes to the ISMS:

  1. Regular Monitoring and Measurement: Implement continuous monitoring and measurement processes to assess the performance of the ISMS. Regularly review key performance indicators (KPIs) and other metrics to identify trends, patterns, or anomalies.
  2. Review of Security Incidents and Events: Analyze security incidents, breaches, and near misses to identify weaknesses or gaps in the ISMS. Consider the root causes of incidents and use them as inputs for potential improvements.
  3. Periodic Risk Assessments: Conduct regular risk assessments to identify new risks, changes in the risk landscape, or emerging threats. Assess the impact and likelihood of identified risks and update risk treatment plans accordingly.
  4. Changes in Legal and Regulatory Requirements: Monitor changes in relevant laws, regulations, and contractual obligations related to information security. Evaluate the impact of these changes on the organization’s ISMS and implement necessary adjustments.
  5. Technology Changes: Stay informed about technological advancements and changes that may affect the security of information assets. Assess the compatibility of existing controls with new technologies and update the ISMS accordingly.
  6. Business Changes and Objectives: Review changes in the organization’s business strategy, objectives, structure, or processes. Ensure that the ISMS aligns with the organization’s current business goals and priorities.
  7. Feedback and Suggestions: Encourage feedback from employees, stakeholders, and individuals involved in the ISMS. Establish channels for reporting security concerns, suggestions, or improvement opportunities.
  8. Audit and Assessment Findings: Conduct internal and external audits of the ISMS to identify areas of non-compliance, weaknesses, or opportunities for improvement. Use audit findings as a basis for implementing corrective actions and improvements.
  9. Performance Reviews and Management Reviews: Schedule regular performance reviews and management reviews of the ISMS. Evaluate the effectiveness of security controls, assess the achievement of information security objectives, and identify areas for improvement.
  10. Incident Response and Lessons Learned: Analyze the organization’s response to security incidents. Use lessons learned from incidents to identify improvements in incident response procedures, training, or controls.
  11. Employee Awareness and Training: Monitor the awareness and training programs for employees regarding information security. Identify areas where additional training or awareness initiatives are needed.
  12. Customer and Partner Feedback: Seek feedback from customers, partners, and other external stakeholders regarding information security. Use feedback to identify areas for improvement and ensure alignment with external expectations.
  13. Bench marking: Consider bench marking against industry best practices, standards, and the performance of peer organizations. Identify opportunities to enhance the ISMS based on bench marking results.
  14. Security Culture Assessment: Assess the organization’s security culture and awareness. Identify areas where the security culture can be strengthened through training, communication, or policy enhancements.
  15. Business Continuity and Disaster Recovery Exercises: Conduct exercises and tests of business continuity and disaster recovery plans. Use the outcomes to identify improvements and ensure the ISMS’s readiness for unforeseen events.

By considering these factors and maintaining a proactive and vigilant approach, the organization can effectively determine the need for changes to the ISMS. Regular reviews, assessments, and a commitment to continuous improvement are fundamental principles for ensuring that the ISMS remains effective and resilient in the face of evolving threats and organizational dynamics. Ensuring that changes to the Information Security Management System (ISMS) are carried out in a planned manner is crucial for maintaining the effectiveness and integrity of the security measures. The process of planning and implementing changes should be systematic, controlled, and aligned with the organization’s overall objectives. Here are steps to ensure that changes to the ISMS are carried out in a planned manner:

  1. Establish a Change Management Process: Develop and implement a formal change management process that outlines the steps and controls for proposing, evaluating, approving, and implementing changes to the ISMS. Clearly define roles and responsibilities within the change management process.
  2. Documented Change Procedures: Create documented procedures that provide step-by-step guidance on how changes are to be proposed, assessed, and implemented. Specify the information required for change requests, including the reason for the change, potential impact, and proposed mitigation measures.
  3. Impact Assessment: Conduct a thorough impact assessment for each proposed change. Evaluate how the change may affect the organization’s information security, including risks, compliance, and operational aspects.
  4. Risk Assessment and Mitigation: Integrate risk assessment into the change management process. Identify potential risks associated with the proposed change and develop mitigation strategies to address them.
  5. Change Approval Process: Establish a formal process for approving changes to the ISMS. Define criteria for approval, including considerations for risk, cost, benefits, and compliance.
  6. Communication Plan: Develop a communication plan to inform relevant stakeholders about the upcoming changes. Ensure that communication includes details such as the nature of the change, its purpose, and any expected impact on operations.
  7. Testing and Validation: Conduct testing and validation activities to ensure that the proposed changes will not negatively impact the security or functionality of information systems. Develop test cases and scenarios to verify the effectiveness of security controls after the change.
  8. Back out Plan: Establish a back out plan in case the change does not proceed as expected or results in unforeseen issues. Ensure that the back out plan is well-documented and includes steps to revert to the previous state.
  9. Training and Awareness: Provide training to relevant personnel on the upcoming changes and any new security measures or procedures. Enhance awareness to ensure that employees are prepared for the changes.
  10. Implementation Timeline: Define a clear timeline for implementing the change. Consider scheduling changes during periods of lower operational impact, if possible.
  11. Monitoring and Feedback: Implement monitoring mechanisms to track the progress and performance of the change during and after implementation. Encourage feedback from users and stakeholders to identify any issues or areas for improvement.
  12. Post-Implementation Review: Conduct a post-implementation review to assess the success of the change. Evaluate whether the change achieved its intended objectives and address any discrepancies.
  13. Documentation and Records: Document all aspects of the change management process, including change requests, approvals, testing results, and post-implementation reviews. Maintain records for auditing and compliance purposes.
  14. Continuous Improvement: Use insights gained from the change management process to continually improve the organization’s ability to manage and implement changes effectively.

By incorporating these steps into the change management process, the organization can ensure that changes to the ISMS are carried out in a planned, controlled, and systematic manner. This approach helps minimize risks, ensure compliance, and maintain the integrity of the information security controls in place.

Example of procedure for change management in information security

1. Purpose: The purpose of this procedure is to establish a structured and controlled process for proposing, evaluating, approving, and implementing changes to the Information Security Management System (ISMS).

2. Scope: This procedure applies to all changes that may impact the confidentiality, integrity, or availability of information assets within the organization.

3. Roles and Responsibilities:

  • Information Security Officer (ISO): Overall responsibility for overseeing the change management process.
  • Change Initiator: The individual or team proposing the change.
  • Change Review Board: Responsible for assessing and approving/rejecting proposed changes.
  • IT Security Team: Implements approved changes.
  • Documentation Manager: Ensures proper documentation of change details.

4. Change Request Submission:

  • Initiation: – The Change Initiator completes a Change Request Form, providing details such as the reason for the change, expected benefits, potential risks, and a preliminary impact assessment. – The Change Initiator submits the Change Request Form to the ISO.
  • Review and Validation: – The ISO reviews the Change Request Form for completeness and relevance. – If necessary, the ISO collaborates with the Change Initiator to clarify or gather additional information.

5. Change Evaluation:

  • Impact Assessment: – The ISO conducts an impact assessment to evaluate the potential effects of the proposed change on information security. – Risks associated with the change are identified and documented.
  • Risk Mitigation: – Develop a plan to mitigate identified risks. – Assess whether the proposed mitigation are sufficient to proceed.

6. Change Approval:

  • Change Review Board Meeting: – The Change Review Board convenes to review the Change Request, impact assessment, and risk mitigation plan. – The Change Review Board approves or rejects the change based on predefined criteria.
  • Approval Notification: – The ISO communicates the decision of the Change Review Board to the Change Initiator. – If approved, the ISO notifies the IT Security Team for implementation.

7. Change Implementation:

  • Planning: – The IT Security Team develops a detailed plan for implementing the approved change. – The plan includes a timeline, resource allocation, and testing procedures.
  • Testing: – Conduct testing of the change in a controlled environment. – Verify that the change does not negatively impact information security controls.
  • Implementation: – Execute the change during a predefined maintenance window or low-impact period. – Monitor the implementation for any unexpected issues.

8. Post-Implementation Review:

  • Assessment: – Conduct a post-implementation review to assess the success of the change. – Compare the actual outcomes against the expected results.
  • Documentation: – Document the results of the post-implementation review, including lessons learned and areas for improvement. – Update documentation as necessary.

9. Communication:

  • Communicate changes, including their purpose and potential impacts, to relevant stakeholders.
  • Provide awareness training to affected personnel.

10. Documentation and Records: Maintain records of all change requests, evaluations, approvals, implementation details, and post-implementation reviews. – Ensure proper version control and storage of documentation.

11. Continuous Improvement: Use insights from the change management process to identify opportunities for continuous improvement. – Review and update the change management procedure as needed.

12. Review and Approval: The procedure undergoes periodic reviews to ensure its effectiveness and relevance. – Any necessary updates are made, and the revised procedure is approved.

13. References: Include references to relevant policies, standards, and regulatory requirements that guide change management in information security.

Change Request Record: Information Security

1. Change Request Details:

  • Change ID: CR-2023-001
  • Requestor Name: [Name of the person initiating the change]
  • Date Requested: [Date of the change request initiation]
  • Change Title/Description: Firewall Software Upgrade

2. Reason for Change:

  • Description: The firewall software upgrade is necessary to address recently identified vulnerabilities and enhance the overall security posture of the organization.

3. Scope of the Change:

  • Affected Systems/Assets:
    • Firewall System A
    • Firewall System B
  • Impact on Information Security:
    • Improved intrusion detection and prevention capabilities.
    • Enhanced logging and monitoring features.

4. Risk Assessment:

  • Identified Risks:
    • Potential service disruption during the upgrade.
    • Incompatibility with existing firewall rules.
  • Risk Mitigation Plan:
    • Conduct the upgrade during a scheduled maintenance window to minimize impact.
    • Develop and test rollback procedures in case of unexpected issues.

5. Proposed Changes:

  • Detailed Description: The upgrade will involve installing the latest version of the firewall software (Version X.Y.Z). Configuration settings will be adjusted to align with best practices for improved security.
  • Security Controls:
    • Strengthened access controls.
    • Implementation of enhanced threat intelligence feeds.

6. Testing and Validation:

  • Testing Plan:
    • Conduct testing in a controlled environment to ensure the upgraded firewall functions as expected.
    • Validate the effectiveness of new security controls.

7. Approval:

  • Change Review Board (CRB) Approval:
    • Approved by CRB on [Date].

8. Implementation Plan:

  • Timeline:
    • Start Date: [Scheduled Date]
    • End Date: [Scheduled Date]
  • Resources Required:
    • IT Security Team members for implementation.
    • Test environments for validation.

9. Backout Plan:

  • Description: In case of issues or disruptions, rollback procedures will be executed to revert to the previous version of the firewall software.

10. Communication:

  • Stakeholder Notification:
    • Stakeholders will be notified via email one week before the scheduled upgrade, detailing the expected benefits and any potential impact on services.

11. Post-Implementation Review:

  • Review Date:
    • Post-implementation review scheduled for [Date].
  • Lessons Learned:
    • Document any lessons learned during or after the implementation for future reference and improvement.

12. Documentation and Records:

  • Record Keeping:
    • All documentation related to this change request will be stored in the Change Management Repository.

13. Change Status:

  • Status:
    • Proposed -> Approved -> Implemented -> Closed

14. Approval Signatures:

  • Requestor:
    • [Signature] [Date]
  • CRB Approval:
    • [Signature] [Date]

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply