Skip to contentCYBERINFO
TechnologicalControl 8.32

Change Management

Summary

Changes to information processing facilities and systems should be subject to change management procedures. This ensures that all modifications are planned, documented, tested, and approved to minimize the risk of service disruption or security gaps.

Applicability

In-Scope: Mandatory for all organizations. It is the primary control for maintaining system integrity and ensuring that the organization remains in a known-good state after every technical update.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Change Tracking: Use a restricted SharePoint List or Microsoft Planner to document all requested changes, including the risk assessment and back-out plan.

  • Audit Logging: Monitor the Entra ID Audit Logs and Azure Activity Logs to verify that all changes made to the tenant configuration match an approved change request.

  • Infrastructure as Code (IaC): Use Bicep or Terraform templates stored in a version-controlled repository to manage environment changes, ensuring every modification is peer-reviewed and documented.

Evidence Checklist

  • Change Management Policy: Documented procedures for requesting, testing, approving, and implementing technical changes.

  • Change Request Records: A history of recent changes including the description, impact analysis, and formal approval by the Change Advisory Board (CAB) or manager.

  • Back-out Plans: Evidence that every major change has a documented method to revert the system if the implementation fails.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for handling an emergency change that must be implemented outside of the standard review cycle?

  • How do you ensure that the person requesting the change is not the same person who formally approves it (Segregation of Duties)?

  • Can you provide the documentation for a recent major system change, including the test results and the formal sign-off?

  • How does the organization identify and address unauthorized changes that were made to the system without a corresponding change request?

Templates for this control

Downloadable ISO 27001:2022 templates relevant to this control. Use them as a starting point for your own documentation.

Dependency Management Proceduredocx

Defines the process for evaluating, approving, and updating third-party libraries and software dependencies.

Download
Library Update Approval Formxlsx

Tracks the approval process for updating third-party libraries and software dependencies.

Download

See all templates on the Templates page.