Overview
Significant Change Risk Evaluation is the process of identifying and assessing security, availability, and confidentiality risks introduced by major changes to systems, infrastructure, or business operations. It ensures that material changes are reviewed, documented, and mitigated before or immediately after implementation in line with SOC 2 CC3.4.
Step-by-Step Process
Identify significant change
The Process Owner monitors planned and unplanned changes to systems, vendors, infrastructure, or business processes and determines whether they qualify as significant. Significant changes include new systems, major architecture updates, data flow changes, or organizational restructures. The output is a logged change requiring risk evaluation.
Role: Security Lead
Log change for assessment
The Security Lead records the significant change in the designated tracking tool with a clear description, owner, and expected implementation date. This creates a formal record that triggers the risk evaluation workflow. The output is a documented change record.
Role: Security Lead
Define scope and assets impacted
The Security Lead identifies systems, data types, users, and third parties affected by the change. Scope definition ensures the risk assessment covers all relevant trust services criteria. The output is a scoped list of impacted assets and processes.
Role: Security Lead
Assess risks and likelihood
The Security Lead evaluates potential risks introduced by the change, including security, availability, confidentiality, and processing integrity risks. Likelihood and impact are rated using the organization’s standard risk methodology. The output is a completed risk assessment with documented ratings.
Role: Security Lead
Define mitigation actions
For risks exceeding acceptable thresholds, the Security Lead defines required mitigation actions such as control updates, testing, or monitoring enhancements. Each action is assigned an owner and target completion date. The output is a risk treatment plan.
Role: Security Lead
Approve risk acceptance or mitigation
The Security Lead reviews the assessment and either approves residual risk acceptance or confirms mitigation actions are required before or after implementation. Approval is documented to demonstrate management oversight. The output is an approval record.
Role: Security Lead
Retain evidence and monitor completion
All assessment records, approvals, and mitigation evidence are stored in the compliance repository. The Security Lead monitors mitigation completion and updates the record as actions are closed. The output is a complete, auditable change risk evaluation file.
Role: Security Lead
What You Need Before Starting
- Change request or project documentation describing the proposed change
- Access to risk assessment methodology or risk register
- System architecture diagrams or data flow diagrams
- Access to Jira, Confluence, or approved spreadsheet template
Evidence Your Auditor Expects
- Dated change risk assessment record showing risk ratings and impacted assets
- Screenshot or export of change ticket with risk evaluation completed and timestamp visible
- Documented mitigation plan with assigned owners and due dates
- Approval record (comment, signature, or status change) with date and approver name
How This Looks In Your Tools
Jira
Create or open the change ticket in Jira by navigating to Projects > Select Project > Issues > Create Issue and choosing the Change or Risk type. Complete required fields including Description, Impacted Systems, and Implementation Date.
Add the risk evaluation by selecting the Risk Assessment custom fields or by attaching a completed risk assessment file via Attachments > Upload. Document likelihood, impact, and mitigation actions in the ticket description or linked sub-tasks.
Route for approval by transitioning the issue to an Approval or Review status using the Status dropdown. Ensure the approver’s comment and the status change timestamp are visible in the ticket history.
Confluence
Navigate to the compliance space in Confluence and select Create > Page. Choose the “Change Risk Assessment” template or a blank page if no template exists.
Document the change description, impacted assets, risk ratings, and mitigation actions in structured tables. Use Insert > Table for risk scoring and Insert > Date to timestamp the assessment.
Request approval by using the page comments or @mentioning the approver and recording their approval comment. Ensure the page shows version history and last updated date under Page Information.
Spreadsheet
Open the approved risk assessment spreadsheet stored in the compliance drive (e.g., Google Sheets or Excel). Create a new row or tab for the change and enter the change description, date, and owner.
Complete columns for impacted assets, likelihood, impact, overall risk rating, and mitigation actions. Use data validation or dropdowns where available to ensure consistent scoring.
Save the file with the updated date in the filename or rely on file version history. Obtain approval by adding an approval column with approver name and date or by retaining an approval email linked to the file.
Common Audit Findings
- Significant changes not formally assessed
- This occurs when teams implement major changes without notifying the Security Lead. Prevent this by defining clear criteria for what constitutes a significant change and integrating risk evaluation into the change management workflow.
- Missing documented approvals
- Auditors often find risk assessments without evidence of review or approval. Require explicit approval steps and ensure comments, signatures, or status changes are retained with timestamps.
- Inconsistent risk scoring
- Risk ratings vary when no standard methodology is applied. Use a defined likelihood and impact scale and require it for every assessment.
- Mitigation actions not tracked to completion
- Mitigations are defined but not monitored, leaving residual risk unmanaged. Assign owners and due dates and periodically review open actions.