Is controlling changes required to be documented by ISO 27001?

In the context of ISO 27001, the evidence indicates that while it emphasizes the necessity for organizations to manage and control changes to their information security management system (ISMS), there is no strict requirement that all changes, regardless of their nature, must be formally documented. The standard promotes risk management and ensures that changes do not negatively impact the ISMS, but it does not prescribe comprehensive documentation for every type of change.

This means that organizations may choose to implement their own procedures for documenting changes that align with their risk management practices and regulatory requirements. Therefore, there is flexibility in how organizations choose to handle documentation depending on their particular circumstances and the potential impact of changes. This allows for a tailored approach that can adapt to the specific needs and conditions of the organization.

In a well-functioning ISMS, significant changes may warrant documentation, but less critical changes may not require the same level of formal record-keeping, thus providing organizations with the discretion to decide on documentation practices based on their policies and assessed risks.