SOC 2 Readiness Control
Change Management
Controlled changes to code, infrastructure, and configuration with approvals and rollback plans.
Why auditors care
Approvals and deployment safety
Demonstrate clear ownership, evidence, and cadence to show this control operates consistently.
What to implement
- •Assign an owner and set a review cadence.
- •Document the policy, procedure, and escalation path.
- •Track exceptions with remediation dates.
Evidence auditors expect
- •Dated records of reviews or approvals.
- •Screenshots/exports showing configurations and coverage.
- •Tickets proving remediation or follow-up.
Common mistakes
- •Unowned control with no cadence.
- •Evidence not tied to who/when/what changed.
- •No process for exceptions or emergency changes.
FAQ
What auditors expect
Peer review evidence, approvals in tickets or PRs, and rollback or deploy checklists.
Common issues
Emergency changes without documentation and missing linkage between tickets and deployments.