• Service Organisation Controls (SOC 2) is published by American Institute of Certified Public Accountants (AICPA).
  • SOC 2 attestation provides an assurance that a service organisation (your organization) has a formal documented enterprise risk and cyber security governance program in place.
  • SOC 2 has 5 trust principles consisting 298 risk mitigation requirements.
  • Depending upon the nature of the business, scope of service delivered, data acquired, production environment location, and commitment to secure, the applicable trust principles are decided.
  • A security control is a combination of how a requirement of the applicable 298 requirements has been achieved, in the context of the organisation. They combine objectives, security policies, procedures, responsibilities, technology and ongoing measurement processes. Security domains include technical, personnel, physical, supplier, and management processes such risk assessment.
  • SOC 2 Type 1 report is issued to a service organisation when evidences demonstrate that the policies and designed and documented and have just started the implementation. Type 1 report involves testing at least ‘one’ record of every security control.
  • SOC 2 Type 2 report is issued to a service organisation when evidences demonstrate that the policies and designed and documented and have been operating for a longer period of time – say 6 months. A type 2 report involves testing 5 to 25 samples depending in the nature of security transactions.
  • In Coral we provide SOC 2 implementation/readiness support. With more than 100 implementations across industry sectors, we have a simplistic however comprehensive implementation methodology.
  • We achieve these through a phase wise approach ensuring all the applicable requirements are implemented by the organisation, enabling successful SOC 2 attestation/certification.

Kindly share your details for SOC2 requirements

Service Organisation Control (SOC 2)
What are the SOC 2 Trust Principles
SOC 2 has the following 5 principles, listed below are the principles and their objectives.
  • Common Criteria Security: The system is protected, both logically and physically, against unauthorised access.
  • Availability: The system is available for operation and use as committed or agreed to.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information that is designated ‘confidential’ is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants, and the Canadian Institute of Chartered Public Accountants (CICA).
Each of these principles has more detail risks/controls that need to be fulfilled.
Project Phases
We have a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 2 attestation. Our approach ensures that the service organisation has adequate ‘internal controls’ over applicable security criteria, to assure any Certified Public Accountant (CPA) for issuance of SOC 2 reports.

PHASE I - Determination of Objectives

This phase involves determining objectives, from user entity, as well as of the service organisation.

Gap Analysis

This phase involves performing gap analysis of the above listed objectives on one hand, and the applicable SOC 2 controls and risks, on the other. We provide solution for all identified gaps.

PHASE III - Control Design and documentation

This phase involves our methodology that involves distribution of risk, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk officer – who will drive the ongoing compliance.


This phase involves tracking the client risks, documentation and self-compliance on a weekly basis till all internal controls are adequately implemented.

Performance Tracking

This phase involves showcasing client with changes in a given period by providing change specific score of compliance between 0 -100%. This gives the organisation an evidence of a measurable framework of demonstrating internal controls.

PHASE VI - Internal Audit

Internal audit followed by a formal review of the program gives organisation an independent perspective, and enables them to be ready for final attestation.

At this stage the client has implemented the governance system in completeness. Generally upon completion of one month of this, the organisation can achieve SOC 2 – Type 1 attestation, and upon completion of 6 months, the client can achieve Type 2 attestation. Here the assumption that all risks are under control that will give adequate assurance to the user entity.


We provide bespoke training, listed below are our offerings.

  • Shorter Sessions from 1 hour to 4 hours
  • Interpretation of the SOC 2 requirements
  • 1 Day Awareness Session
  • 2 Days Internal Audit Course
  • 3 Days Implementation Course covering 10+ hands on exercises

Upon receiving your request, we will provide you further details.

Documentation Toolkit

SOC 2 requires documentation of policies, procedures and records. As a result of several consulting assignments, we have some of the best content available that covers all the requirements.

Our documentation has the following salient features:

  • Alignment with all SOC 2 policy documentation requirements
  • Our experiences turned into documentation templates
  • Project Tracking tools to support the implementation
  • Q&A support

Upon receiving your request, we will provide you further details.

Internal Audit

An independent assessment helps to assess the state of compliance. Our internal audit methodology includes people, process, technology and measurements to assure and provide management the degree of SOC 2. Typically it takes 3-5 days to perform a comprehensive internal audit.

Upon receiving your request, we will provide you further details.

Risk Assessment

SOC 2 requires a comprehensive risk assessment of business objectives, information assets, network services, policies and procedures, organisation structure to name a few. We have a complete risk assessment methodology that helps you achieve demonstrate SOC 2 requirements.

Let us know if you are interested.

Upon receiving your request, we will provide you further details.

Program Management

Our consulting methodology experience has helped us to understand – what it takes to design and maintain a successful SOC 2 compliance. The outsourcing model removes the compliance responsibility to an external team, whereas the management focuses on customer/business delivery.

Upon receiving your request, we will provide you further details.

Call or write to us at :
for proposal / roadmap / information