SOC 2 — CC8 Change Management (Common Criteria)
SOC 2 — CC8 Change Management (Common Criteria) — 50% covered.
2 requirements · 1 enforced · 0 designed · 0 advisory · 0 deferred.
Source: SOC 2 — CC8 Change Management (Common Criteria) — Trust Services Criteria attestation framework. KYE Protocol™ governs the SUBSET that resolves at the action boundary — the moment an AI-driven production action (a rollback / hotfix / infra-change) moves toward a consequential effect — under a recorded change-authority decision, with the change-class due-diligence recorded, replay-provable provenance, and named sign-off. KYE does not detect the incident, perform RCA, monitor the system, or operate the change-management tooling. · License: The SOC 2 Trust Services Criteria are published by the AICPA; KYE registry references the CC8 change-management criteria descriptively for mapping purposes and asserts no ownership of the criteria text.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Change management — authorization & evidence (enforced action-boundary subset) | 1 | 1 | 0 | 0 | 0 | 100% |
| Change development & testing (out-of-scope — engineering / qa) | 1 | 0 | 0 | 0 | 0 | 0% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
soc2-cc8-change-management.cc8-1-change-authorization |
CC8.1: an AI-proposed production change is authorized, documented, and evidenced before it is deployed | enforced | rule_packs: kye:rule-pack:production-action-authoritydictionaries: internalengines: internal, internal, internalaudit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1, kye.evidence.decision_map.v1, kye.evidence.pack.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md |
soc2-cc8-change-management.cc8-development-testing |
Change design, development, and testing activities | out-of-scope | (no enforcement cited) |