SOC 2 Controls CC8: Change Management

CC8.1

SOC 2 CC8.1 requires that your organisation organises, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

CC8.1 highlights the following points of focus:

Manages Changes Throughout the System Life Cycle

Your organisation should apply and use a process for managing system changes throughout the life cycle of your system and its elements, including infrastructure, data, software, and procedures. This will support system availability and processing integrity.

Authorises Changes

Your organisation should have a process in place to permit system changes before development.

Designs and Develops Changes

A process should be put in place to plan and create system changes.

Documents Changes

A process should be implemented to document system changes. This supports continuing system maintenance and assists system users in performing their responsibilities.

Tracks System Changes

A process should be put in place to track system changes before application.

Configures Software

A process should be put in place to choose and execute the configuration parameters used to manage the functionality of software.

Tests System Changes

A process should be implemented to test system changes prior to application.

Approves System Changes

A process should be put in place to authorise system changes before application.

Deploys System Changes

A process should be put in place to implement system changes.

Identifies and Evaluates System Changes

Any objectives impacted by system changes should be identified, and the modified system's ability to meet your organisation’s objectives should be assessed throughout the system development life cycle.

Detects Changes in Infrastructure, Data, Software, and Procedures Required to Resolve Incidents

Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet your organisation’s objectives should be identified, and the change process should be initiated upon detection.

Creates Baseline Configuration of IT Technology

A standard configuration of IT and control systems should be created and preserved.

Provides for Changes Necessary in Emergency Situations

A process should be established for authorising, devising, testing, approving, and applying changes required in emergency situations (such as changes that need to be implemented within a critical time frame).

Protects Confidential Information

To meet confidentiality objectives, the organisation should safeguard confidential information during system design, development, testing, application, and change processes.

Protects Personal Information

Your organisation should protect personal information during system design, development, testing, implementation, and change processes to meet privacy objectives.