SOC 2 CC3.4: Change Risk Assessment
Change risk assessment is foundational to SOC 2 compliance—but many SMBs lack formal processes to evaluate how system changes affect internal controls. CC3.4 requires you to systematically identify and assess changes that could significantly impact your control environment. Without proper risk assessment, you risk deploying changes that undermine your security posture.
What this means
CC3.4 requires your organization to establish and maintain a process for identifying all changes to your system of internal control—whether technical, operational, or procedural—and assessing their potential impact on control effectiveness. This means before any significant change is deployed, you must evaluate whether it could weaken, strengthen, or eliminate existing controls. The assessment should consider likelihood and severity of impact, determine if controls need modification, and document findings for stakeholder review.
How to comply
- 1.Define what constitutes a 'significant change' in your environment (system upgrades, process modifications, personnel changes, policy updates)
- 2.Create a change assessment form or checklist that maps proposed changes against your control objectives
- 3.Require change requestors to document the change, affected systems, and preliminary risk assessment before approval
- 4.Establish a review committee to evaluate documented changes against your control matrix
- 5.Document the risk assessment outcome—approved, approved with modifications, or rejected—with rationale
- 6.Maintain a change log that traces each significant change and its corresponding risk assessment
- 7.Review and update your change risk process at least annually or when control environment changes materially
Evidence auditors look for
- Change request forms with risk assessment sections completed and signed off
- Change control logs documenting assessment dates, reviewers, and impact conclusions
- Control matrix documents showing which controls are affected by each change
- Meeting minutes from change approval committees discussing risk implications
- Policy documents defining the change assessment process and escalation criteria
- Email trails or system records showing change assessment completion before deployment
- Annual review documentation confirming the change assessment process remains effective
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates change risk assessment by maintaining your live control matrix and flagging which controls each change impacts—eliminating manual spreadsheet tracking and ensuring nothing slips through assessment before deployment.
See how GRCWatch handles this control automatically
Start free trial