Scoping involves the identification of:
Based on the outcome of phase I, a combination of approaches is applied by Coral SOC 2 consultants to conduct the gap analysis.
Coral consultants will provide detailed recommendations for each identified gap with their recommendations
After the policies and risks are mitigated, depending upon client report requirements, controls are tested for a period of time.
At this stage:
The chosen CPA firm performs an audit, which includes the following phases:
Once the CPA firm is satisfied with the completeness of the controls, a format report is issued to the client detailing the controls being tested with their test result
At this stage, the client is officially SOC 2 attested.
Seek a one to one session with our Principal Consultant, who will answer your questions to get started.
System and Organization Control (SOC 2) is published by the American Institute of Public Accountants (AICPA) as a standard reference to be used by any organization to demonstrate the implementation of security best practices.
SOC 2 has 5 trust principles, namely common criteria security, processing integrity, availability, confidentiality and privacy. These 5 trust principles have a total of nearly 330 controls, called point of focus (POF). POF acts as a guide for organizations to choose those that are applicable.
In the phrase ‘system and organization control, ‘system’ represents the services or product or solution that the service organization delivers to its clients (user entity). Organizational controls refer to the controls that an organization applies based on its business to demonstrate adequate security.
US-based Certified Public Accountants (CPA)
SOC 2 is synonymous with security best practices. When an organization implements SOC 2 it has established a governance program that is driven by management participation and sponsorship. Most organizations nominate a CISO or a risk and compliance manager to drive this program.
Bridge letter is a self-attestation of ‘internal control effectiveness’ by the service organization management representative, for a period not covered in the attestation report.
For instance, if a service organization was attested for Jan to June 2022 and then again, the same period for 2023, the service provider can use the bridge letter for the intervening period, in this case July to Dec 2022.
A number of factors play a role in determining the fee, such as:
A SOC 2 engagement would involve two participants - a readiness consultant (like Coral) and a CPA (firm).
These numbers are estimates. For the exact fee, please contact us, we conduct an initial session, where we determine the applicable requirements including trust principles using which we can submit a fixed-fee commercial proposal.
© 2024 www.coralesecure.com. All rights reserved | Privacy Policy