Overview

As a SOC 2 consulting service provider, we advise our clients in SOC 2 attestation through a 6-phase implementation approach that includes understanding client business, setting business and security policy objectives, determining applicable SOC 2 trust principles, gap analysis, detail risk assessment, risk remediation support, policy documentation, end user training, monitoring, measurement, and audit, thereby leading to successful SOC 2 attestation.
With 20 years of security, governance risk and compliance practice, our methodology has been successfully implemented in business of all sizes and sectors, across the globe. Whether you are a startup in AI-ML-Data Science, SAAS, PAAS, IAAS provider, product developer or customer, or brick and mortar local or global business, we have implemented SOC 2 in fairly all industry sectors.
Security and compliance is everyone’s responsibility. We consider our methodology as most comprehensive as we involve every client key stakeholder in our SOC 2 implementation journey. We ensure ‘security by design’, and ‘privacy by design’ principles as part of client’s business DNA.
How fast can Coral get us SOC 2 certified? We follow an agile philosophy where phases of the project can run in parallel, resulting in achieving SOC 2 certification faster.
Contact us today to get started.

Kindly share your details for SOC2 requirements

What are the SOC 2 Trust Principles

SOC 2 has the following 5 principles, listed below are the principles and their objectives.

Common Criteria Security: The system is protected, both logically and physically, against unauthorised access.
Availability: The system is available for operation and use as committed or agreed to.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information that is designated ‘confidential’ is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants, and the Canadian Institute of Chartered Public Accountants (CICA).

Each of these principles has more detail risks/controls that need to be fulfilled.

SOC 2 Consulting Engagement Phases

Here is a brief overview of all the phases involved in implementing SOC 2 attestation.

Phase I - Understanding Business, and Security Requirements and SOC 2 Report Objectives

Every client is unique with its business model, customers and business objectives.
The SOC 2 implementation journey starts with this phase where we determine and document the clients’ business requirements for SOC 2 including the applicable criteria.
SOC 2 Attestation requirement - Type 1 or Type 2

Phase II -
Gap Analysis and Risk Assessment

As the name suggests, this phase is aimed at determining both the current controls and the ‘missing controls’.
In addition this phase involves determining information and its lifecycle, with its assets that store, process and/or transmit the information.
How comprehensive is the risk assessment? We perform a 4-phase risk assessment that involves information assets, security controls and policy objectives, thereby giving clients an unparalleled view of their security risks.
With more and more organizations choosing a combination of on prem and cloud, or moving to the cloud altogether, this phase has become a key focus area. Cloud brings in challenges related to control ownership, which we help in assessing in this phase.
Gap Analysis phase is a key phase in designing control responsibility to stakeholders.
This is where identified gaps, applicable controls (based on applicable criteria), with their references to stakeholders and policy/procedure requirements are determined, and documented.

Phase III - Design, Documentation and Risk Monitoring

Design involves control allocation responsibility to organisation stakeholders.
Documentation involves drafting 25+ policies and procedures.
The phase involves brainstorming and training staff to align them with documented controls and policies.
Risks identified in the gap analysis are tracked towards closure.

Phase IV - Control Measurement

Measurement involves testing the control effectiveness and giving a 0-100% score.
We have a structured methodology using that we score controls based on interplay of business transactions with SOC 2 controls, and present this to the management using a formal report.

Phase V - Internal Audit and Management Review

Internal Audit involves verifying the effectiveness of the implemented lifecycle controls through interviews with physical and system verification of applicable controls, as it applies to the organisation control design.
A formal report is published for management committee.
We facilitate reviews with the management to ensure that the initial SOC 2 policy objectives and goals are achieved.

Phase VI - CPA Support

Once the management framework is implemented, the chosen CPA firm performs audit, which includes the followings:

Documentation Review
Interviews
Testing control effectiveness

Once the CPA firm has completed the assessment, a draft report is issued, which is reviewed by the client, for final report. A typical report has 5 sections.

Finally, upon receiving their SOC 2 report, the clients are officially SOC 2 attested.

Questions?

Seek a one to one session with our Principal Consultant, who will answer your questions to get started.

Contact Us Now !

SOC 2 FAQs

What is SOC 2?

System and Organization Control (SOC 2) is published by American Institute of Public Accountant (AICPA) as a standard reference to be used by any organization to demonstrate implementation of security best practices.

SOC 2 has 5 trust principle, namely common criteria security, processing integrity, availability, confidentiality and privacy. These 5 trust principles have a total of nearly 330 controls, called as point of focus (POF). POF is not exactly same as controls as the organization needs to decide the degree of alignment with its implementation journey.

In the phrase ‘system and organization control, ‘system’ represents the services or product or solution that the service organization delivers to its clients (user entity). Organization controls refers to the controls that organization applies based on its business to demonstrate adequate security.
Who needs SOC 2 report?
- SOC 2 compliance is applicable mostly to outsourcing vendors, who have the customer data in their network
- This can be any service provider ranging from business process outsourcing, technology companies, and cloud service providers.
Who attests SOC 2 reports?

Certified Public Accountants (CPA) Firms issue SOC 2 reports.
What is the difference between Type 1 and Type 2 report?
- Type 1 report is issued for organizations who demonstrate control design, whereas a type 2 report is issued when the controls can be tested over a period of time, typically 3-6 months.
- Type 1 is when an organization has designed and implemented controls for the first time and just perhaps have only necessary records to show that they have been designed well.
- A type 1 scenario could be when a SAAS platform has designed controls and may not have customers to show actual operations.
- Type 2 is when the organization has security and compliance records over a longer period that it can show the implementation effectiveness
What is the difference between a qualified and unqualified report?
- An unqualified report is one in which the auditor has no exception to report, thereby indicating that the controls designed are effective.
- A qualified report is one in which the auditor reports one or more exception.
What is the benefit of SOC 2 for service organizations who implement them?

SOC 2 is synonymous with security best practices. When an organization implements SOC 2 it has established a governance program that is driven by management participation and sponsorship. Most organizations nominate a CISO or a risk and compliance manager to drive this program.
What is a bridge letter?

Bridge letter is a self-attestation of ‘internal control effectiveness’ by the service organization management representative, for a period not covered in the attestation report.

For instance, if a service organization was attested for Jan to June 2022 and then again, the same period for 2023, the service provider can use the bridge letter for the intervening period, in this case July to Dec 2022.

Consulting Services

Why Coral?

Contact Us

Request a call back

SOC 2 Consulting Readiness, Implementation, Audit and Program Management