What is CC8.1 in SOC 2 and how do you prove change management?
March 6, 20262 min readSOC 2 Evidence Collection
What Is CC8.1?
CC8.1 requires that "the entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives." Translation: don't push untested, unapproved code to production.
For SaaS startups using GitHub, you're probably already doing most of this. You just need to prove it.
Evidence for CC8.1
| Control | Evidence |
|---|---|
| Change authorization | GitHub PR with description of the change |
| Peer review | PR showing at least one approving review |
| Testing | CI pipeline results (GitHub Actions, Vercel preview) |
| Approval | Reviewer approval timestamp on the PR |
| Deployment | Deployment log showing the merge triggered a production deploy |
| Branch protection | Screenshot of branch protection settings on main |
How to Demonstrate CC8.1
Configuration Evidence (Type I and II)
- Screenshot of GitHub branch protection rules (required reviewers, status checks)
- Screenshot of CI/CD pipeline configuration (GitHub Actions, Vercel)
- Change management policy document
Population Evidence (Type II)
- Auditor samples 20-25 PRs from the audit period
- Each PR should show: description, reviewer approval, passing CI checks, merge to main
- No direct commits to main without a PR
Handling Emergency Changes
Auditors understand that hotfixes happen. Document your emergency change process:
- Deploy the hotfix directly
- Create a post-deployment PR within 24 hours
- Document why the standard process was bypassed
- Get retroactive review
Having a few documented emergency changes is fine. Having undocumented direct pushes to main is not.
Common Findings
- Branch protection disabled or set to "allow admins to bypass"
- PRs merged without reviewer approval
- No CI pipeline running tests before merge
- Emergency changes without post-deployment documentation