Customer Name Error: Reference source

not found

Customer Name

Change Process

Version 1.0

Author Enter Name

Policy Owner Enter Name

Approved by Policy Approval

Committee

Approval Date Enter Date

Review Annually

Reapproval due Date Enter Date

Document Status Draft

Confidentiality level INTERN

Classification Strategies (Level 1)

Standard, Risk
management (Level 2)

Policy (Level 3)

Guidance (Level 4)

Protocol, KPI (Level 5)

Document Contact E-Mail Address

Applicability Legal Entity

1
Customer Name Error: Reference source
not found

Change history:

Date Versio Created by Description of the change

n

13.01.23 0.90 DataGuard Base-structure of the document

XX.XX.23 1.00 XX Approved Version and minimal Changes

Document Departmen Position Name

collaborators t

Collaborators and
Auditors

Maria Musterfrau, IT CTO

Max Mustermann

Approval level Role Date/Version Name

Steering Committee CEO XX.XX.23 Martin Mustermann

Management

Head of Department

2
 Customer Name Error: Reference source
not found

Contents
Introduction...........................................................................................................................................4
Process overview...................................................................................................................................4
ISMS change process.............................................................................................................................5
Change to ISMS identified.................................................................................................................6
Categorise change.............................................................................................................................6
Change approval................................................................................................................................7
Change planning................................................................................................................................7
Plan approval.....................................................................................................................................7
Plan execution...................................................................................................................................8
Post-execution review.......................................................................................................................8

3
 Customer Name Error: Reference source
not found

Introduction
With the implementation of an information security management system (ISMS)
that aligns with the ISO/IEC 27001 international standard for information
security, [Organization Name] places significant importance on the continuous
effectiveness of its ISMS amidst frequent changes. The nature of these changes
impacting the ISMS can vary and may encompass the following:

 Changes in the internal and external context of our organization, such as

market conditions and other economic factors
 Planned changes to our products and services, and the processes,
operations, equipment and facilities that support them
 Changes in employee numbers and skills, suppliers and outsourced
processes
 Changes in requirements, such as new laws or variations in contracts

To maintain the alignment of our ISMS with its defined objectives, it is essential
to manage all types of changes, whether they are anticipated or unforeseen,
abrupt or gradual. This document outlines a systematic approach for identifying
and managing changes, encompassing thorough planning, efficient execution,
and necessary approvals.

For a comprehensive understanding of our ISMS, it is important to review this

document in conjunction with the following related documents that address
additional aspects of the ISMS:

 Information Security Context, Requirements and Scope

 Information Security Management System Manual
 Information Security Objectives and Plan
 ISMS Change Log

Process overview
The overall process for the management of changes to the ISMS is shown in
Figure 1. This process is followed whenever a planned or unplanned event that
affects the ISMS is identified.

4
 Customer Name Error: Reference source
not found

Figure 1: ISMS change process overview

ISMS change process

This process is specifically designed to address changes to the ISMS that surpass
a predetermined threshold in terms of their significance and magnitude. Minor
changes that occur during the routine administration of the ISMS do not

5
 Customer Name Error: Reference source
not found

necessitate adherence to this process. Here are some examples of such minor
changes: are:

 Small amendments to documented information that may be signed off

locally to their use, for example minor changes to procedures
 Updating records that are held as part of the ISMS, for example event and
incident logs
 Activities involved with the maintenance of controls, such as the
configuration of software or production of reports

However, changes that exceed this threshold must be defined, approved,

planned and executed as defined in this document.

Change to ISMS identified

A change to the ISMS may be identified by any one (or more) of a number of
interested parties, including:

 Roles within the ISMS (for example, information security steering group,
information security manager)
 Employees and contractors of the organization
 Suppliers to the organization
 Internal and external auditors
 Regulators and lawmakers
 Customers and clients

When proposing a change, it is essential to communicate the details to the

information security manager using suitable means such as email, verbal
communication, or collaboration tools. Subsequently, the change will be
recorded in the ISMS Change Log. The following information must be provided to
facilitate an accurate assessment of the change:

 Name and contact details of the person proposing the change

 A description of the nature of the change
 The reason for the change
 A description of which aspects of the ISMS may be affected by the change
 The urgency of the change (High, Medium or Low)

Categorise change
The information security manager will carefully review the proposed change to
determine its approval process. If the change is considered a standard change,
the information security manager has the authority to approve it. However, if the
change is deemed significant and has substantial implications for the ISMS or
fundamentally alters its operations, it will be referred to the information security
steering group for further assessment and decision-making.

6
Customer Name Error: Reference source
not found

Change approval
Changes that do not need to be referred will be assessed by the information
security manager. If necessary, further detail should be requested and if the
change is acceptable, it will be recorded as approved. If not, the change will be
rejected, and the decision, together with the reasons for it, communicated to the
person who proposed it.

Changes that need to be referred to the information security steering group will
be circulated to the members of that group at the earliest opportunity for
discussion. The chair of the group will be responsible for arriving at a decision
regarding the proposed change, in consultation with the other members. If the
change is acceptable, the decision will be communicated by the chair to the
information security manager who will record it as approved. If not, the change
will be rejected, and the decision, together with the reasons for it, communicated
by the information security manager to the person who proposed it.

Change planning
A plan must be produced for approved changes prior to their implementation.
The information security manager will be responsible for deciding who should
plan and implement the change, depending on its subject area. For changes
approved by the information security manager, the degree of planning
performed must be sufficient to give confidence that the change has been
thought through and is likely to be successful. Basic documentation, such as an
email, is required for such changes, setting out:

 what will be done

 what resources will be required
 who will be responsible
 when it will be completed
 how the results will be evaluated

For more significant changes which have been approved by the information
security steering group, the areas of planning should be similar, but
correspondingly more detailed to reflect the possibly increased risk and
resources required.

Plan approval
After creating the plan, it must be reviewed and approved by the same level of
authority as before. Special consideration should be given to the timing outlined
in the plan to minimize any disruption to the functioning of the ISMS. If the plan
is not approved, the planner may have the opportunity to make necessary
adjustments to make it acceptable. If adjustments cannot be made or the plan
remains unacceptable, the change will be rejected at this stage.

7
Customer Name Error: Reference source
not found

Plan execution
Subsequently, the plan should be executed according to the defined steps, and
the change must be effectively managed until its completion. Throughout the
implementation process, it is essential to keep the information security manager
informed of the progress. Once the implementation is finalized, the information
security manager should also be notified of its completion.

Post-execution review
After the completion of changes to the ISMS, it is important to conduct a post-
change review to ensure that the intended effects of the change have been
achieved. The specific duration for the review will be determined by the
information security manager and documented in the ISMS Change Log, taking
into account the nature of the change.

Additionally, trends in ISMS changes will be assessed as part of the management

review process.