How It WorksPricingBlogStart Free Trial
All answers

How do I handle emergency changes and hotfixes during a SOC 2 observation period?

March 6, 20262 min readFirst-Time SOC 2

Emergency Changes Are Normal

Auditors know production incidents happen and hotfixes are sometimes needed. They don't expect 100% adherence to your change management process — they expect that exceptions are documented, justified, and rare.

The Emergency Change Process

During the Emergency

  1. Deploy the fix to stop or prevent the incident
  2. Notify the team via Slack/PagerDuty
  3. Log the decision — who authorized the bypass and why

Within 24 Hours

  1. Create a post-deployment PR with the code changes
  2. Get retroactive review — another engineer reviews the change
  3. Document in your incident log:
    • What happened
    • What was deployed
    • Who authorized the bypass
    • Why normal review was not possible
    • When the retroactive review was completed

Evidence to Keep

EvidencePurpose
Incident timelineShows the emergency was real
Post-deployment PRProves the change was eventually reviewed
Justification documentExplains why normal process was bypassed
Retroactive approvalShows the change was validated after the fact

What Auditors Look For

Auditors will sample your PRs during the observation period. When they find an emergency change (merged without prior review), they'll check:

  1. Was there a documented reason for the bypass?
  2. Was a post-deployment review conducted?
  3. Is this consistent with your emergency change policy?
  4. How frequently does this happen?

What Gets Flagged

  • Emergency changes without any documentation
  • Emergency changes that happen frequently (more than 10% of all changes)
  • No post-deployment review
  • No policy covering emergency changes

Policy Language

Your change management policy should include a section like: "Emergency changes may bypass the standard review process when production availability or data security is at immediate risk. The CTO or engineering lead authorizes the bypass. A post-deployment pull request with peer review must be created within 24 hours, including a description of the emergency and justification for bypassing standard controls."

Related Questions

First-Time SOC 2

Can I use my SOC 2 report to skip security questionnaires?

A SOC 2 report reduces security questionnaire burden by 60-80% but doesn't eliminate questionnaires entirely. Most enterprise buyers accept a SOC 2 report in place of detailed control questions, but still ask about data handling specifics, incident history, and business continuity that SOC 2 doesn't fully cover.

First-Time SOC 2

How do I collect SOC 2 evidence across multiple engineering teams?

Collecting SOC 2 evidence across multiple teams requires standardized branch protection rules, consistent access control policies, a shared evidence library, and a designated compliance coordinator. Use the same GitHub settings, CI pipelines, and access review processes across all teams to simplify evidence collection.

First-Time SOC 2

How do I handle SOC 2 when my team has no security background?

Most startup teams going through SOC 2 for the first time have no security background — and that's fine. SOC 2 isn't about being a security expert. It's about documenting what you do, fixing obvious gaps, and proving your controls work. You can learn enough to pass an audit without hiring a security person.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.