Fundamentals of change management: The change review and approval process

Gowtham Ravi, Consultant


In this part of our change management blog series, we look at the change review and approval process. These are essential parts of development in the constantly changing Software as a Service (SaaS) industry for ensuring that any changes, no matter their size, are considered effectively for their effects on the platform's functionality and experience for users, security posture, and compliance with standards such as SOC 2. This connects innovation with operational reliability and accountability.



An understanding of SOC 2 compliance
Before exploring the change review and approval procedure, it helps to understand the SOC 2 compliance context. SOC 2, created by the American Institute of CPAs (AICPA), addresses five criteria topics: security (where change management generally sits), availability, confidentiality, processing integrity and privacy of customer information. SOC 2 compliance is not just a badge of honour for SaaS companies, but also a fundamental component of reliability and security in the industry.

Change review and approval procedure

Justification of changes
Change proposals or requests usually include a description of the change, the impact, resources required and the intended outcome or benefit of the change. This stage is essential in clarifying the key points of the suggested feature or modification and laying the groundwork for a thorough assessment. Technical specifications, acceptance criteria, potential customer impact and impact assessments should all be covered in detail. This is especially important when considering the processes and controls required for SOC 2 compliance.

Impact assessment
It is critical to conduct a detailed impact assessment that evaluates the impact that the change could have on the organisation’s system and its users. The results of the assessment should be used to influence the extent and type of change testing and approval required, any mitigating technical or operational controls required and communication required internally and externally. 

Change review
Collaborative review based on the type of change and the expected impact, including stakeholders from operations, security, development, and compliance, can ensure the right stakeholder buy-in, awareness and planning for increased likelihood of a successful change design and implementation. The broader the impact or complexity of a change, the more consultation and review may be required with the relevant stakeholders.

Change approval
It's crucial to establish precise, predetermined criteria for approving changes. To align with the SOC 2 criteria requirements, changes to data, software, infrastructure and supporting procedures should be approved prior to implementation. This approval may include stakeholders from the development, security, compliance and/or operational parts of the organization, based on the predetermined criteria (e.g. impact and nature of the change). This can also involve specifying who has the final approval in the process, typically someone other than the change developer, and making sure they have access to all the key data when making their final approval decision. 

Change documentation
For reference and compliance, it is essential to record each stage of the change management process, including development requirements, review, approval, and testing requirements along with the rationale for any key decisions during the process. This documentation, which shows due diligence, is a key part of SOC 2 compliance. Technical documentation such as logs in a version control system and audit trails can also be a key reference.

Applying technology to increase productivity and compliance

•    Automation innovations: The efficiency and validity of the change review and approval process can be made easier using automation technologies for monitoring changes, maintaining documentation and enabling stakeholder participation, such as continuous integration / continuous deployment tools.
•    Compliance management platforms: These offer frameworks for risk assessment, documentation and reporting that can specifically tailored to meet the requirements of SaaS platform while monitoring against compliance with different standards like SOC 2.

For SaaS companies navigating the change review and approval process with an emphasis on SOC 2 compliance, a comprehensive change management process can be a challenging but crucial step. It is foundational in ensuring that enhancements and developments are safe, compliant, in line with company objectives and technically sound. When carried out successfully, this can build user and stakeholder trust and reaffirm the SaaS companies dedication to security, dependability and ongoing compliance.


Read the other blogs in our change management series:


Disclaimer: AssuranceLab performs the role of an independent auditor across hundreds of client environments. We do not perform technical roles or assessments and this content is not intended to be comprehensive on those technical or detailed aspects of cybersecurity. You should perform further research and seek professional advice as appropriate before acting on any of the information contained here.

Some additional information in one line