Skip to main content

This section of the ISM provides guidance on change management.

Identifying the need for change

The need for change can be identified in various ways, including:

  • identification of security vulnerabilities or cyber threats
  • users identifying problems or a need for system enhancements
  • upgrades or patches for software or ICT equipment
  • vendors notifying the end of life for software or ICT equipment
  • the implementation of new software or ICT equipment
  • organisational or business process changes
  • other continuous improvement activities.

Change management process and procedures

The use of a change management process ensures that changes to systems are made in an accountable manner with appropriate consultation and approval. Furthermore, a change management process provides an opportunity for the security impact of any changes to systems to be considered.

In implementing changes to systems, it is important that change management procedures clearly articulate the steps to be taken for each part of the change management process.

Security Control: 1211; Revision: 3; Updated: Jul-20; Applicability: O, P, S, TS
A change management process, and supporting change management procedures, is developed and implemented covering:

  • identification and documentation of requests for change
  • approval required for changes to be made
  • assessment of potential security impacts
  • notification of any planned disruptions or outages
  • implementation and testing of approved changes
  • the maintenance of system and security documentation.