Background
----------

ISO/IEC 27002:2022 clause 8.32 indicates that "Changes to information processing facilities and information systems should be subject to change management procedures [in order] to preserve information security when executing changes."


Policy statements
-----------------

1.	Follow the organisation's change management process when altering business processes or IT systems/networks, including documentation, risk assessment, management authorisation and control of configurations/settings.

2.	Assess and treat information risks related to system/network changes using assurance and resilience controls, reaining the ability to delay, halt or reverse changes if the risks are unacceptable.

3.	Manage the information risks associated with other significant business changes involving information (such as new business relationships or workers) in the same manner.

4.	Ensure compliance with applicable laws, regulations, and contracts when implementing changes, seeking advice from relevant professionals as needed.

5.	Align with and adhere to management-established information risk and security objectives, policies and directives, or seek authorised exemptions.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.