Change Management
Planning of Changes
With our retained clients looking to transition to the new version of ISO 27001, Information Security Management, there can be a great deal of focus on controls and Annex A of the standard. One update to the clause structure in ISO 27001 is the inclusion of ‘Planning of Changes ‘Clause 6.3. Whilst those familiar with ISO 9001 will recognise the text it does bring alignment with other standards and the Annex SL structure and of course widens the consideration of change management beyond information systems.
Why Change Management
Change management is a systematic approach to initiating, communicating and implementing a transition or transformation. An organisation’s context is changing constantly and often very rapidly, however the type and extent of change, and therefore the level of change management needed, varies widely between organisations. The organisation should assess its context, future developments and risks, and make conscious decisions on what type of change is relevant and necessary. To mitigate the impact of changes in context and the associated risks, the organisation should adopt a relevant change management approach. For change to happen the following are usually necessary: dissatisfaction of current performance or concern for future performance; a clear idea of the intended outcome following implementation of change; a clear idea of what actions need to be taken; a willingness to embrace change. Many internal and external interested parties (e.g., employees, customers, suppliers, shareholders, the community) are affected by changes to what an organisation is doing, or how it is doing it. It is important to note that if change is necessary to address changing needs and expectations but the organisation does not take action this, can have a significant negative impact on both the organisation and other relevant interested parties.
In ISO 9001 we have more supporting text promoting that organisations consider:
- The purpose and potential consequences of any change
- The integrity of existing systems
- Available resources
- Responsibilities and authorities
Where controlled change is a goal, there’s s frameworks to support these activities.
A final word on ISO 27001 and information security control 8.32 Change Management. To some extent it seems like repetition to include the new clause but in addition to the wider organisational context the control, if applied, is aimed fairly and squarely at the purpose of preserving information security when executing changes.
Whether change and improvements projects are commonplace or infrequent then the benefits in application of a consistent change management process shouldn’t be underestimated.
To find out more about change management and risk-based thinking join our next CQI IRCA approved training course or ask for consultative guidance on best available techniques in this and other management system requirements.