Checklist of ISO/IEC 27001-A.14.2.2 System change control procedures


IT system change management has become critical for organizations to ensure the security, reliability, and performance of their systems. 

The ISO 27001 standard provides guidance on ensuring effective system change control procedures to manage IT changes in a systematic and controlled manner. 

This article will discuss ISO 27001’s A.14.2.2 control objective, which emphasizes the importance of reviewing IT system change control procedures.

Sample Checklist:

  • Review IT system change management policies, procedures, standards, practices, and related records.
  • Check if the policies and procedures include planning and testing of changes, impact assessments, and installation verification checks.
  • Ensure that fall-back/back-out/reversion procedures are in place for both standard and emergency changes.
  • Verify if significant changes to computing and telecommunications equipment, system and security parameters, system and application software, and firmware are covered.
  • Review a small sample of system change management records focusing on high-risk system changes.
  • Check if system changes are properly documented, justified, and authorized by management.
  • Look for improvement opportunities in the existing system change control procedures.


In conclusion, ISO 27001’s A.14.2.2 control objective highlights the importance of implementing effective IT system change management procedures. 

To ensure that the IT system change management procedures are well-designed, organizations must review their policies, procedures, standards, and practices regularly.

By doing so, organizations can identify areas for improvement and address them before they become major issues. 

With proper system change control procedures in place, organizations can ensure the security, reliability, and performance of their systems, which is crucial for maintaining the trust of their customers and stakeholders.

See also  Checklist of ISO/IEC 27001-A.9.3.1 Use of secret authentication information

Leave a comment

Your email address will not be published. Required fields are marked *