What does controlling changes require from an organization?

Controlling changes within an organization is a critical aspect of maintaining its security and operational effectiveness. The requirement to manage and analyze both planned and unplanned changes ensures that any potential risks associated with these changes are properly assessed and mitigated.

When changes occur, whether they are anticipated or unexpected, they can have significant impacts on an organization's information security management system (ISMS). By managing and analyzing these changes, the organization can better understand the implications for processes, technology, and personnel. This proactive approach helps to ensure that changes align with the organization's overall security posture and strategic goals.

Furthermore, managing unplanned changes is crucial as they can introduce vulnerabilities or disrupt existing processes if not handled correctly. A structured approach to analyzing these changes allows an organization to respond effectively, ensuring that they are documented, evaluated, and, if necessary, integrated into existing procedures or controls.

The other options do not encapsulate the comprehensive approach required for effective change management. Ignoring changes would leave the organization vulnerable, merely planning changes without consideration of unplanned ones could result in oversights, and allowing spontaneous changes could destabilize critical operations. Therefore, the correct answer emphasizes the importance of a thorough and systematic process in managing all types of changes.