Formal Change Management Process

Owned by Roxy Sanchez
Dec 08, 2022
1 min read

Does your organisation have a formal change management process that gives consideration to information security?

As part of ISO 27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements (including DPIAs, etc), including the appointment of new suppliers. A standardised template record is used for operational changes.

The Development of the Commonplace platform is managed through the development lifecycle. When the need for a change is identified that may impact on information security or data protection, we engage our Information Security Officer who reviews the scope and objectives of the change and completes our Change Management review, including a DPIA triage to identify if this is required.

Where this process identifies items that impact information security or data protection, implementation planning and testing steps are put into place and worked through by a team consisting of internal stakeholders relevant to the change.

Any new risks are added to the risk register with appropriate controls implemented where required.
Appointment of suppliers is included in this process with applicable due diligence being completed via our Supplier Selection procedure.

As part of our Change Management procedure, where new processing activity requiring an appropriate lawful basis is identified and Legitimate Interests is the selected basis, a Legitimate Interests Assessment is incorporated as part of the procedure to ensure it is completed and recorded along with the DPIA and other change records.

A copy of our Change Management Policy is available upon request from customers@commonplace.is