LET'S TALK
← All work
SOC2 CC8.1ITIL 4 Change EnablementNIST CM-3ISO 27001 A.8.32Deep Prototype

ChangeRequestQueue — SOC2 CC8.1 Change-Management Board

28 RFCs across normal / standard / emergency. Per RFC: requester, reviewer chain, risk class, blast radius, rollback plan, customer notification, sign-off chain with timestamps, pre-deploy checks. Surfaces 4 RFCs awaiting review >14 days, 4 emergency RFCs (with documented post-hoc CAB ratification), and 1 rolled-back change with lessons-learned.

ChangeRequestQueue — SOC2 CC8.1 Change-Management Board preview
Open live →

What it is

The shape behind every Change Advisory Board — ServiceNow CMDB, Atlassian Jira Service Management, Linear’s change-RFC pattern. The artifact every SOC2 audit pulls under CC8.1.

What’s in it

  • 28 RFCs (90 days) across 3 types: normal (14, full review), standard (3, pre-approved templates), emergency (4, post-hoc ratification).
  • Per-RFC shape:
    • Risk class + blast radius (tier-0 critical / tier-1 / tier-2 / external API / sub-processor)
    • Sign-off chain with role + timestamp (change-author → security review → CAB approval)
    • Pre-deploy checks (rollback plan documented, customer notification, staging tested, observability verified)
    • Notes + cross-tool references
  • Realistic catalog spans the prototype mesh:
    • RFC-1241 — argon2id migration (auth-svc), normal, deployed
    • RFC-1243 — emergency hotfix for cart-svc race condition during gameday (post-hoc CAB)
    • RFC-1247 — region-shift to us-west-2 (CarbonLedger 28% scope-3 reduction)
    • RFC-1249 — emergency Heap.io tag decommission (4h turnaround on GDPR Art 28 violation)
    • RFC-1251 — IAM CI access-keys → OIDC (closes SecretRotation SR30)
    • RFC-1252 — emergency drop CVV column from payments table (PCI-DSS Req 3.3.1 violation)
    • RFC-1254 — fix cookie banner reject-all on layer 1 (CookieConsent finding)
    • RFC-1261 — phishing-sim cadence ROLLED BACK after 4 weeks (lessons learned: cadence varies by role)
    • RFC-1264 — engage outside counsel for SEC TCR matter (WhistleblowerIntake WB-002447)
  • Sign-off chain visualization — every signer with role + when they signed, pending signers explicit.

Why this shape

SOC2 CC8.1 (change management) is one of the top SOC2 findings every audit cycle. ITIL 4 Change Enablement + NIST 800-53 CM-3 + ISO 27001 A.8.32 all demand the same artifact: per-change risk-classification, sign-off chain, rollback plan, post-hoc ratification for emergencies. The hardest part: emergency changes that bypass normal review need documented post-hoc CAB ratification — most teams forget this and fail the audit.

How it ships

Single HTML file, ~25KB. Zero dependencies. 28 RFCs × type + status filters + signer chain renderer in 240 lines of vanilla JavaScript.

Open the tool →