Back

Include potential consequences of unintended changes in the change control program.


CONTROL ID
12243
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Determination of consequences resulting from planned and unplanned malfunctions and changes over time (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
  • When changes are planned, are they carried out in a controlled way and actions taken to mitigate any adverse effects? (Operation ¶ 4, ISO 22301: Self-assessment questionnaire)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • When determining necessary controls, or considering changes to existing controls, consideration should be given to risks and opportunities that need to be addressed, and to any unintended consequences that can result. The organization should control planned changes and review the consequences of uni… (8.1.1 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1.3 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (8.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (Section 8.2 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall control planned changes to the SMS and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary (see 8.5.1). (§ 8.1¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. (§ 8.1 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • review their consequences; (§ 8.1 Guidance ¶ 3(m), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • perform an analysis of potential consequences on the ISMS, considering: (§ 10.1 Guidance ¶ 4(4), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization controls planned changes and reviews the consequences of unintended changes, and ensures that outsourced processes are identified, defined and controlled. (§ 8.1 Required activity ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)