Change Management for SOC 2: AICPA Guidelines



Feb 08, 2024

SOC 2 Change management

If your organization’s SOC 2 audit is around the corner, everyone in your team has surely worked hard to get that SOC 2 certificate. A ton of effort went into ensuring that the organization is demonstrating compliance for applicable Trust Service Criteria (TSC). 

In your SOC 2 journey, are you ready to demonstrate evidence for questions on Adherence to Common Criteria 8.1? Can you demonstrate how policies and updates are conducted on an org. Level to enable continuous data protection? This is where SOC 2 change management comes in.

This article dives into the details of SOC 2 change management, steps to implement it, TSC-wise details, best practices to follow, and, ends with a  few examples of SOC 2 change management.

What is SOC 2 Change management?

SOC 2 change management establishes policies, procedures, and best practices for service organizations to continuously implement changes within their IT environment. It helps to mitigate risks, meet auditing guidelines, and eliminate gaps while making changes.

This requires service organizations to authorize, design, develop, acquire, configure, document, test, approve, and implement changes to data, software, or processes to meet its objectives’. It is a routine process described in SOC 2 Common Criteria 8.1 for entities undergoing an audit. Auditors verify if the organizations meet the criteria.

In other words, SOC 2 change management is the documentation that details the policies and updates organizations implement to sustain a continuous security posture. Details on reason for change/upgrade, authorizing entity, employee that implemented the change, and more. These documents include details on simple tasks to complex changes.

Importance of Change management in SOC 2?

Change management policies help organizations demonstrate the effectiveness of their system, processes, and controls to handle tasks related to changes. These changes include using new tools or technologies, updating a process workflow, and database system updates within the IT infrastructure. 

The objective of change management in SOC 2 is to maintain transparency, accuracy, and accountability in internal control. 

Also, fill your details in the block to get a complete list of SOC 2 controls.

Steps to set up SOC 2 change management

The steps in change management in the revised version of trust service criteria mentions 14 guidelines to manage changes across your IT environment. These include:

1. Manage changes across system life cycle

Implement a process to manage changes in the system and its components to meet your business objectives. Its applicability includes infrastructure, data, software, manual & automated processes.  

2. Authorization

Implement a system to authorize changes before the changes are applied on business processes.

3. Design and development

Establish a process to securely design and develop system changes

4. Document changes

Establish a process to document changes. Implementing automatic documentation cuts costs and errors due to human error.

Also read: SOC 2 documentation

5. Tracking

Design a process to track system changes.

6. Software configuration

Implement a process to choose, implement, maintain, and monitor configurations for parameters used to control functions of developed or acquired software. 

7. System testing 

Establish a process to test internally developed or acquired systems before launching to production. Testing examples: Unit, integration, regression, static or dynamic source code, quality assurance, and automated testing. 

8. Change approval

Establish a system to approve changes before implementing them. 

9. Change deployment

Establish a process to implement system changes based on segregation and responsibilities to prevent unauthorized changes. Examples include restriction of unilateral code development or a single user testing and implementing.

10. Identification and evaluation

Implement a process to Identify organizational objectives affected by system changes. Evaluate the ability of the modified system to support the effectiveness of the objectives across the system development life cycle.

11. Identify changes

Identify changes required to remediate incidents in data, software, infrastructure, and procedures. Initiate the change process once you identify them. 

12. Baseline configuration

Create and maintain a baseline configuration of IT and control systems. 

13. Emergency situation 

Establish a process to authorize, design, test, approve, and implement necessary changes that should be implemented during a time-sensitive situation. 

14. Manage patches

Implement a system to identify, evaluate, test, approve, and implement patches on time across the infrastructure and software.

SOC describes additional considerations based on the trust service criteria to manage changes. 

Availability: Consider system resilience

Take system resilience into account to design its systems. Test resilience while developing to effectively respond, recover, and ensure business continuity in the face of disruptions. 

Confidentiality: Protect confidential data

Protect the confidentiality of data during designing, developing, testing, implementing, and changing a system to support confidentiality related objectives. 

Privacy: Protect personal information

Protect personal data during designing, developing, testing, implementing, and changing a system to support privacy related objectives

Privacy: Ensure privacy for design

Take privacy requirements into account while designing systems and processes. Avoid processing personal information and limit its collection to what is necessary. 

Recommended: Complete guide to SOC 2 compliance

Examples of SOC 2 Change Management 

Here are a few instances of how you can implement change management in business activities:

  • Introduce a process for change management and review it periodically (bi-annually or annually) 
  • Log change management processes like a ticketing system, code repository for version control, and testing solutions
  • Maintain separate environments for development, production, testing, and staging. 
  • Access to deploy changes directly into production servers should be restricted
  • Perform post-implementation review to map the achieved efficiency vs desired efficiency

Signals to Identify an ineffective SOC 2 Change management system

Here are few instances that paint a picture of an ineffective change management system:

  • A change is not authorized before deployment, but is still deployed
  • A change is not tracked throughout its life cycle and has gaps in documentation
  • The change does not meet system requirements listed by AICPA
  • A log that tracks changes made by users does not exist. In other words, information on the user(s) who made changes is not available. 
  • Planned changes are not deployed on time
    The configuration authorized for the change is not the same as the change implemented.
  • There is no process in place for emergency requests
  • Changes deployed in product are not logged

While these are a few, there are many other ways how change management systems become ineffective in demonstrating an effective security posture


Managing, tracking, documenting every action across the ecosystem manually is not just time-consuming, but error-prone. Too many errors, and you risk getting a report that can set you back on your business goals for months, or worse, even years.

Sprinto automates all tasks you can possibly think of to manage your changes. It documents everything in an audit-friendly manner, helps you track changes from a centralized dashboard, triggers alerts to notify unauthorized changes, and more. Talk to our experts today to get a glimpse of how you can breeze through your SOC 2 journey. 



Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.