A.8.32 Change management

A.8.32 Change management

Version: 3.0

Valid until: 2025-04-12

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson
Sarang Kulkarni

Johanna Hakonen

Initiation document

2022-07-07

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.12.1.2 Change management from B17 Change Management.

2022-11-16

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes were made.
2023-05-19
3.0
Edward Robinson
Additions/changes as part of the annual review.

Added that request tickets are transferred to the Innovation Lab department.

Added the evaluation of the request by the Support & Assurance team and addition of PBI to the ticket.

Added link to SIAs.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the change management policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure correct and secure operations of information processing facilities (A.12.1).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.12.1.2 Change management

“Changes to the organisation, business processes, information processing facilities and systems that affect information security shall be controlled.”


Guidelines for changes requested by a customer:

  • A request for a change is submitted as a ticket (feature or outside-SLA requests), and decisions and updates are tracked in the ticket. See Appendix.

  • The ticket is transferred to the Innovation Lab department in Zoho.

  • The request is evaluated by the Support & Assurance team in order to determine the impact of the change, whether a change would lead to changes in existing processes and whether it impacts security. Necessary assessments are made per request.

  • If anDREa chooses to proceed with the request for a change, a product backlog item (PBI) is created and an item is picked up accordingly based on priority, the planning and capacity of the development team (see Guidelines for changes during development cycle below). The PBI is added to the ticket and vice versa to keep track of the progress. Progress is discussed during daily standups and the monthly sprint rituals.


Guidelines for changes during the development cycle:

The development team works within the scrum framework. Changes are part of the general scrum development cycle. The operating procedures are described in A.12.1.1 Documented operating procedures and the development team works in accordance with A.14.2.1 Secure development policy. When a PBI requires a change, it is discussed with the scrum master and Operations Manager and the necessary steps are evaluated on a case-by-case basis.


When a change is required, the following guidelines are followed:

  • The impact of the change is evaluated on a case-by-case basis and whether the change would affect the current (security) processes or the architecture.

  • During the preparation of a major change, a risk assessment is always performed following the method of Clause 6 Planning. Moreover, a Security Impact Assessment (SIA) needs to be present.

  • When a change requires a major adjustment in the current processes or the architecture, a new PBI is planned and evaluated according to the operating procedures in the design phase of the PBI. 

  • When a major change involves the purchase/replacement of a critical application and/or ICT service, the instructions from A.15 Supplier relationships are always followed and the supplier requirements list is completed in full.

  • When a major change relates to the IT infrastructure and/or software development, the policies as laid down in A.13 Communications security and A.14.2.1 Secure development policy will remain in force.


Changes to the ISMS:


The following guidelines apply when changes to the ISMS are made:

  • The purpose and consequences of the change are identified.

  • The impact of the change on the coherence of the ISMS are identified.

  • Sufficient resources are made available for the change.

  • New and/or services tasks and responsibilities are identified and assigned.


The Security Officer is responsible for registering the above.

Administrations

Appendix

Flow-chart Change management for changes requested by customer



Action

Explanation

Who

Registration

1. Submit request

User or local Research Support team(s) have an idea or need to new feature. Ticket is submitted in Zoho and discussed in biweekly support team meeting.

Local Research Support team or user

Zoho ticket system

2. Moving ticket to Innovation Lab department
Based on the necessity and amount of similar requests, the ticket will be moved to the Innovation Lab department on the Zoho ticketing system.
anDREa supportZoho ticket system

3. Refine requirements

Local Research Support team(s) can refine requirements and evaluate priority before the request is presented to anDREa.

Local Research Support team


Zoho ticket system

4. Evaluate request

Incoming requests are evaluated on impact on Confidentiality, Integrity, Availability, Auditability, security risk for other Workspaces and the Core, Costs, current architecture and necessary changes. Evaluation is done on case-by-case basis. 

anDREa support, development team, Support & Assurance team



5. Proceed with normal developmental cycle

If request passes evaluation, a PBI is created and placed on the backlog. Status updates are provided to the local Research Support team through Zoho ticketing system.

anDREa support, development team, Support & Assurance team


Zoho ticket system, Azure DevOps boards

6. Deny request

If request does not meet necessary requirements, request is denied.

anDREa support, development team, Support & Assurance team


Zoho ticket system

7. Redefine requirements

When request is not complete, unclear or requires refining, this is done together with the local support team (see step 3)

Local Research Support team, anDREa support, Support & Assurance team


Zoho ticket system