Is documentation of changes required by ISO 27001?

The correct choice is that documentation of changes is indeed required by ISO 27001, specifically for significant changes. Documentation is essential to ensure that any modifications to the Information Security Management System (ISMS) are adequately recorded, reviewed, and communicated. It helps maintain the integrity of the ISMS and ensures compliance with various controls and policies.

ISO 27001 emphasizes the importance of continual improvement, and part of that process involves managing changes. This includes documenting the reasoning behind changes, assessing their impact on the ISMS, and ensuring that all stakeholders are aware of these changes. Not documenting changes can lead to gaps in security controls, misunderstandings among personnel, and ultimately, non-compliance with the standard.

For instance, if a significant change is made to security policies or processes, documenting this change allows the organization to track modifications, understand the rationale behind them, and evaluate their effectiveness over time. This documentation is also crucial during audits to demonstrate that an organization is adhering to its policies and procedures, as well as complying with the requirements of ISO 27001.