Why you should mind SOC 2 Compliance
Compliance with SOC 2 requirements indicates that your organization maintains a high level of information security. The SOC 2 standard is based on the following 5 Trust Services Criteria categories: Security, Confidentiality, Availability, Data Processing and Data Privacy.
When you prepare for SOC 2 for the first time you can focus on the “Security” TSC that is mandatory for the SOC 2 attestation audit. Adding other TSCs to subsequent SOC 2 audits shows that your organization is strongly committed to information security practices.
Given that a formal SOC2 audit is considered for the future, we address the SOC 2 preparation process in a SOC2-like manner.
Gap assessment allows verifying that all key controls are documented and in place. This process requires close review of your environment against the requirements of the criteria selected. A gap assessment serves to detect non-compliance points before beginning a SOC 2 audit and enables you to remediate the gaps.
Our team audits your environment against the criteria selected and provides you with the gap assessment matrix and report.
To make the gaps remediation go smoother, we propose two sub-phases, as follows:
Once the gap remediation phase is completed, Stidia will verify the effectiveness of the security controls implemented.
When you will perform the formal SOC 2 audit, we can assign an expert to join your team and:
The timelines are based on the assumption that you will provide requested information / documentation on time.
| Phase# | Phase | Duration |
|---|---|---|
| 1 | Gap Assessment | 6-8 weeks |
| 2 | Gap Remediation | 12-16 weeks |
| 3 | Control Operating Effectiveness | 4-6 weeks |
| optional | Formal SOC 2 audit preparation | Depends on the external auditor schedule |
The estimated timelines takes into consideration the time you need to answer the preliminary questionnaire and additional questions, set up meetings and create / update policies (if you opt to do it yourselves).
Inventorize current IT environment and control process in place to identify missing controls. Pricing is determined based on an in-take questionnaire.
Small and medium sized organizations.
Remediate and implement control gaps identified. Once we complete the gap assessment, if you decide to do phase 2 with us including the policies creation, we will be able to provide you with a custom quote.
Small and medium sized organizations that want to prepare for SOC2 compliance and have identified missing controls.
Control operating effectiveness. Verify if all controls have been implemented and confirm SOC2 readiness.
Small and medium sized organizations that have controls implemented and want to verify (yearly) SOC2 audit readiness.
Formal SOC 2 audit preparation
When you will perform the formal SOC 2 audit, we can assign an expert to join your team and:
• Assist you during pre-audit meetings.
• Prepare the audit evidences for the external auditors.
• Draft or review the two mandatory chapters in the SOC 2 audit report (Management Assertion Letter and IT Environment Description).
SOC 2 preparation is tailored to the unique needs of your organization. To better understand the status quo and narrow down the SOC 2 scope, you need to answer a set of preliminary questions. We provide you with a custom offer that best suits your organization’s scope.
We also provide additional services during and post project implementation. The following are additional services we can provide on the project upon the client request:
- Mini SOC 2 – Yearly SOC 2 type audit
- Web vulnerability audits, public IP range and network audits
- Penetration tests
To provide you with a custom offer that best suits your organization’s scope, please answer the preliminary questions below and submit your answer.