Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Change management procedure for significant changes to data processing services


Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Connected other frameworks and requirements:
14.2.2: System change control procedures
ISO 27001
14.2.4: Restrictions on changes to software packages
ISO 27001
PR.DS-6: Integrity checking
8.32: Change management
ISO 27001
No items found.