Change Management

Change management is the formal process for proposing, reviewing, approving, testing, and deploying modifications to production systems. SOC 2 examines change management under Common Criteria CC8.1, which requires that changes are authorized, designed, developed, configured, documented, tested, approved, and implemented in a controlled manner. A standard change management workflow includes a change request with rationale and risk assessment, peer code review, automated test suite execution, staging environment validation, explicit approval from a designated approver, deployment with rollback plan, and post-deployment verification. Emergency changes typically have an abbreviated process with documented retroactive approval. Auditors test change management by sampling production changes over the audit period and verifying each followed the documented process with appropriate approvals and evidence. The challenge is making the process rigorous enough to satisfy auditors without slowing engineering velocity. Modern teams typically implement change management through pull request workflows in source control with required reviewers and CI checks.