All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

SOC-2 CC8: Change Management

The eighth SOC-2 requirement in the CC-series is Change Management.

Read More

CC8.1

SOC 2 CC8.1 requires that your organisation organises, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

CC8.1 highlights the following points of focus:

Manages Changes Throughout the System Life Cycle

Your organisation should apply and use a process for managing system changes throughout the life cycle of your system and its elements, including infrastructure, data, software, and procedures. This will support system availability and processing integrity.

Authorises Changes

Your organisation should have a process in place to permit system changes before development.

Designs and Develops Changes

A process should be put in place to plan and create system changes.

Documents Changes

A process should be implemented to document system changes. This supports continuing system maintenance and assists system users in performing their responsibilities.

Tracks System Changes

A process should be put in place to track system changes before application.

Configures Software

A process should be put in place to choose and execute the configuration parameters used to manage the functionality of software.

Tests System Changes

A process should be implemented to test system changes prior to application.

Approves System Changes

A process should be put in place to authorise system changes before application.

Deploys System Changes

A process should be put in place to implement system changes.

Identifies and Evaluates System Changes

Any objectives impacted by system changes should be identified, and the modified system's ability to meet your organisation’s objectives should be assessed throughout the system development life cycle.

Detects Changes in Infrastructure, Data, Software, and Procedures Required to Resolve Incidents

Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet your organisation’s objectives should be identified, and the change process should be initiated upon detection.

Creates Baseline Configuration of IT Technology

A standard configuration of IT and control systems should be created and preserved.

Provides for Changes Necessary in Emergency Situations

A process should be established for authorising, devising, testing, approving, and applying changes required in emergency situations (such as changes that need to be implemented within a critical time frame).

Protects Confidential Information

To meet confidentiality objectives, the organisation should safeguard confidential information during system design, development, testing, application, and change processes.

Protects Personal Information

Your organisation should protect personal information during system design, development, testing, implementation, and change processes to meet privacy objectives.