A.8.32 Change Management
What is this control?
ISO 27001 control A.8.32 Change Management ensures that changes to information processing facilities and systems are subject to change management procedures. The control implements formal change control via Azure DevOps work items, risk assessment before implementation, testing and approval requirements, rollback procedures, and post-implementation review to maintain system integrity and availability.
How to implement in Microsoft 365
Implement A.8.32 by requiring all changes to be documented in Azure DevOps work items with change description, risk assessment, test plan, rollback plan, and approver. Implement approval workflows in Azure DevOps requiring CAB or designated approver sign-off before implementation. Deploy changes via Azure Pipelines with environment gates requiring approval for production.
Test changes in non-production environments before production deployment. Document post-implementation review in work item confirming successful deployment or triggering rollback. Maintain emergency change procedures for critical incidents with retrospective documentation.
What an auditor looks for
Auditors will verify Azure DevOps work items document changes with required fields for risk, testing, rollback, and approval. They will check approval workflows require sign-off before implementation. Auditors will verify Azure Pipelines include environment gates for production approval.
They will check evidence of non-production testing before production deployment. Auditors will verify post-implementation review documentation in work items. They will check emergency change procedures exist with retrospective documentation evidence.