GRCWatch
Sign inStart free trial

ISO 27001 Control 8.32: Change Management for Information Systems

Change management is your control gate against unauthorized modifications that introduce vulnerabilities into your systems. ISO 27001 8.32 requires documented procedures to evaluate, approve, and track all changes to information processing facilities and systems. Without this control, well-intentioned updates can accidentally expose sensitive data or create security gaps.

What this means

This control mandates that any changes to your IT infrastructure, applications, configurations, or systems must follow a formal change management process. The process should identify proposed changes, assess their security and business impact, obtain necessary approvals, implement them in controlled ways, and maintain audit trails. This prevents accidental or malicious modifications that could compromise confidentiality, integrity, or availability of information assets.

How to comply

  1. 1.Establish a documented change management policy that defines what constitutes a change and who can request modifications
  2. 2.Create a change request process requiring submission of details: description, business justification, affected systems, and implementation timeline
  3. 3.Implement a change advisory board or approval workflow with defined roles (requester, technical reviewer, security reviewer, approver)
  4. 4.Conduct impact assessments for each change, including security, compliance, operational, and rollback risk analysis
  5. 5.Test changes in non-production environments before deployment to production systems
  6. 6.Define emergency change procedures for critical security fixes with expedited but still-documented approval
  7. 7.Document all approved and rejected changes with reasons, approval dates, and implementation records
  8. 8.Maintain a change log or registry tracking all modifications for audit trails and compliance verification
  9. 9.Schedule periodic change reviews to identify patterns, unauthorized changes, or process gaps

Evidence auditors look for

  • Change management policy document defining procedures, roles, and escalation paths
  • Change request templates capturing change type, business case, technical details, and risk assessment
  • Approved change register or log with timestamps, approver names, and implementation evidence
  • Change advisory board meeting minutes demonstrating review and approval decisions
  • Pre- and post-implementation test results validating changes function as intended
  • Emergency change procedures with expedited approval workflows for critical patches
  • Change rollback documentation showing contingency plans and reverse procedures
  • System logs or audit trails proving changes were implemented as approved
  • Rejected change records with documented reasons for denial
  • Training records demonstrating staff understand change management requirements

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates change request workflows with built-in approval routing, risk assessment templates, and audit-ready logs—eliminating manual spreadsheets and ensuring every system change is tracked, approved, and documented for ISO 27001 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 8.31 — Separation of Development, Testing and Production EnvironmentsISO 27001 8.33 — Information Security Impact AnalysisISO 27001 8.1 — User Endpoint DevicesISO 27001 5.23 — Information Security for Supplier Relationships