๐Ÿ“‹ Template SOC 2 Type II ยท CC8.1 ยท 4 pages ยท SOC2-CHG-001

SOC 2 Change Management Policy

Controls for managing changes to production systems under SOC 2 CC8. Covers change types, approval workflow, testing requirements, rollback procedures, and emergency change process.

๐Ÿ“ง Business Email Required

Verify Your Email to Access

Enter your business email to receive a one-time code. Verified once โ€” access all 17 templates.

Go to Templates Library

Already verified? Your access should be automatic on this device.

Document ID: SOC2-CHG-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Head of Engineering / CISO

Purpose

This policy governs all changes to production systems, infrastructure, and configurations to ensure that changes are authorised, tested, and reviewed before deployment. It implements CC8.1 of the SOC 2 Common Criteria.

1. Change Categories

CategoryDescriptionExamplesApproval Required
StandardPre-approved, low-risk, routine change with established procedureDependency updates, certificate renewal, config value changesSelf-approved (engineer)
NormalNon-emergency change requiring review before deploymentNew feature releases, infrastructure changes, schema migrationsEngineering Lead + QA
MajorSignificant change with broad system impact or customer-facing effectNew service deployment, authentication changes, pricing logicEngineering Lead + CISO
EmergencyUrgent change to resolve critical incident or security vulnerabilityHotfix for P1 incident, critical CVE patchCISO verbal approval; post-hoc documentation within 24 hours

2. Normal Change Process

  1. Submit โ€” Engineer opens a change request in [ticketing system] with: description, scope, risk assessment, testing plan, rollback plan
  2. Review โ€” Engineering Lead reviews technical approach; Security reviews risk for changes affecting auth, data access, or encryption
  3. Test โ€” Change deployed to staging environment; automated and manual tests run; sign-off from QA
  4. Schedule โ€” Change scheduled in maintenance window (avoid peak hours); stakeholders notified โ‰ฅ24 hours in advance
  5. Deploy โ€” Change deployed with engineer and reviewer available during deployment window
  6. Verify โ€” Post-deployment verification: smoke tests, monitoring checks, customer-facing functionality confirmed
  7. Close โ€” Change ticket updated with outcome; any incidents or deviations documented

3. Required Gates Before Production

GateRequirement
Code reviewMinimum two reviewers; at least one senior engineer
Automated testsCI pipeline must pass with no failing tests
Security scanSAST scan must have no critical/high findings unaddressed
Staging validationChange tested in staging under production-equivalent conditions
Rollback planDocumented rollback procedure must exist before deployment
ApprovalRequired approvals obtained per change category

4. Rollback Procedure

Every production change must have a documented rollback plan before deployment. The rollback plan must include:

  • Trigger condition (when to roll back)
  • Rollback steps (specific commands or procedures)
  • Rollback owner (who executes the rollback)
  • Verification steps (how to confirm rollback was successful)
  • Rollback time estimate

If a rollback is executed, it must be documented as an incident (minimum P3) with a post-incident review.

5. Emergency Change Process

When a change must bypass the normal process (P1 incident, active exploitation of critical vulnerability):

  1. Obtain verbal approval from CISO (or Engineering Lead if CISO unavailable)
  2. Implement minimum change required to resolve the issue
  3. Document the change in the emergency change log within 24 hours
  4. Conduct post-hoc review within 5 business days
  5. File change record with retroactive sign-off from CISO

Emergency changes that bypass standard gates are tracked separately and included in quarterly change management reports.

6. Prohibited Practices

  • Deploying directly to production without code review
  • Using production credentials in development or test environments
  • Bypassing CI/CD pipeline for production deployments
  • Making undocumented changes to production infrastructure
  • Using shared accounts for production deployments (all changes must be attributable)

7. Change Log

All production changes are logged with: change ID, description, author, approvers, deployment date, outcome, and any incidents triggered. Change logs are retained for a minimum of 3 years.

8. Review

This policy is reviewed annually. The change management process is assessed during the annual SOC 2 audit.

VersionDateAuthorChanges
1.0March 2026[Author]Initial issue

Need help implementing ISO 27001?

Our certified team can guide you from gap assessment through to certification audit.

Talk to Our Team