Security check

SOC 2 change management (CC8.1): the evidence is in your GitHub

SOC 2's CC8.1 requires production changes to be authorised, reviewed and tested. For a software company that's proven in GitHub β€” branch protection, required reviews and green CI gates. We show where you stand.

Run a free domain scan All checks β†’
Relates to: SOC 2 Β· CC8.1 β€” change management ISO 27001 Β· A.8.32 change management NIS2 Β· art. 21 β€” secure development

What we check

We map SOC 2's change-management requirement to concrete GitHub controls: that no one can push straight to production without review, that CI must pass before merge, that admins don't bypass the rules, and that change history is traceable per commit.

Why it matters

CC8.1 is often where tech companies get stuck in the audit β€” not because the process is missing, but because it can't be proven technically. Branch protection and required reviews are the evidence an auditor actually accepts.

How Security Guru tests it

Common mistakes

  • Having a documented change process but no technical gate in GitHub
  • Admins allowed to bypass review β€” CC8.1 fails
  • Required reviews set to 0 β€” the rule exists but requires no one
  • No link between ticket/PR and actual merge

What you get in the report

  • CC8.1 status per repo with technical evidence
  • Repos where changes can reach production without review
  • Recommended baseline for a passing audit
  • Ready evidence package for your SOC 2 auditor

FAQ

Does this replace our SOC 2 audit?

No β€” we deliver the technical evidence for CC8.1 that you and your auditor use. We don't issue the SOC 2 report.

Type I or Type II?

The evidence serves both β€” Type II additionally requires the control to be shown operating over time, which branch-protection history demonstrates.

Does code have to leave us?

No β€” the control reads repo settings via API and can run without code leaving the environment.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan