← Glossary·Controls

Change Management

SOC 2ISO 27001PCI DSSSOX

Documented process for approving, testing, and deploying changes to production systems.

Change Management governs how changes to production systems are proposed, reviewed, tested, approved, deployed, and verified. SOC 2 CC8.1 expects documented authorisation, segregation between developer and deployer, and evidence of testing.

Why it matters
Modern CI/CD with peer-reviewed PRs and protected branches satisfies CC8 — provided every merge to main is traceable to a ticket and a reviewer.

Related terms

Segregation of Duties (SoD)
Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.
IT General Controls (ITGC)
Pervasive IT controls supporting reliable processing — access, change management, operations, development.
Audit Logging
Tamper-resistant recording of security-relevant events for monitoring, investigation, and evidence.

Does your program actually cover Change Management?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary