A packaged Consulting Service for running a system-wide analysis of an organisation in relation to Information Security, Governance, Risk, Compliance and readiness assessment for future SOC 2 audits. It’s a SOW-based and fixed-price engagement tailored for SME organisations (20-500 people).

SOC, which stands for Service Organisation Control, is a framework (developed by the American Institute of Certified Public Accountants, AICPA) used to assess the controls and processes of organisations which develop and provide solutions through internally, as well as externally-sourced services (e.g. Service Providers, Cloud Computing).

A SOC 2 audit report is growingly queried by a wide range of stakeholders including Customers, Regulators and Business Partners (e.g. investors), therefore in the context of small and medium-sized entities, this must be considered as an important tool for growth, since able to promote the “trusted provider” status when engaging with larger organisations, especially when these are Customers or Investors.

The outcomes of this Consulting Package are:

1. Summary of operational findings
2. RAG report and insights on key areas’ readiness
3. SOC 2 controls and process audit roadmap

The benefits offered by this Consulting Package:

• A one-off fixed-price engagement
• A non-intrusive intervention that relies on an established Lean-Agile execution method
• A more granular awareness of strengths and areas of improvement across the organisation’s system
• Substantial risk mitigation for a costly and time-consuming audit roadmap

This Consulting Package focuses on assessing and reporting the overall system readiness for any micro, small or medium-sized organisation (from 10 to 250 people) in specific relation to SOC 2, which implies having developed controls and processes relevant to Security, Confidentiality, Integrity, Availability and Data Privacy.

Lead time

4-8 weeks.

Approach

As also detailed in the Statement of Work, the engagement will consider the execution of the following.

#1: Kick Off Meeting

The Consulting engagement will commence with a Kick Off Meeting with all relevant stakeholders from the Client.

#2: Functional assessment

This will identify the Client’s operational functions that contribute to delivery of products and services to their own customers and users (e.g. Engineering, Product, Sales, Marketing, Customer Support, etc); there will also be an assessment of any future department potentially being considered in relation to near/mid-term business growth plans.

#3: Procedural assessment

This will assess the existence of policies and procedures across all functions (e.g. Incident Response Plan, Change Management, Risk Management, Onboarding/Off-boarding of staff, etc.) that will be relevant to the overall readiness for a future SOC 2 attestation journey.

#4: Listing of mission-critical suppliers

This will identify all service providers supplying the Client’s organisation with mission-critical applications and infrastructure solutions used for products and/or services’ delivery.

#5: Listing of tools

This will identify all tools used on a daily basis across all business functions, from laptops to applications and services used for collaborative work.

#6: Security Posture assessment

A high-level assessment of the Client’s current security posture by identifying user access controls, adoption of Role-Based Access permissions, use of Endpoint Detection Response systems, Malware Protection, Threat Intelligence, as well as use of encrypted connections (VPNs) and Data Protection practices.

#7: Review of independent SOC 2 auditors

This will assess options for the future appointment of an independent audit organisation (CPA-rated) to review controls and processes and to produce the formal SOC 2 attestation report, once the separate implementation phase is completed (not in scope of this engagement).

#8: Gap analysis

This will be performed on the basis of all the information collected and gathered across the earlier tasks, as well as with interview sessions with relevant stakeholders (if required); the outcome will be the listing of findings.

#9: SOC 2 attestation plan/roadmap

On the basis of all the information collected and gathered across the earlier tasks and the performed gap analysis, this will develop into a plan for the future execution of the compliance effort aimed at receiving a formal SOC 2 attestation report.

For the successful delivery of this Consulting engagement, these are the main requirements:

• Formal contracting by means of a Statement of Work that will be drafted, reviewed and signed-off
• Kick-off meeting with relevant stakeholders
• An executive sponsor from the Client’s organisation available and able to resolve any significant issue that may impact the timely completion of the engagement
• Operational support in place and user access for the Consultant to relevant data, processes, policies, meeting rooms and nominated resources
• Exit review meeting with relevant stakeholders and contributors to the engagement’s outcomes

Our commitments to Clients acquiring this Consulting Package are:

• Support throughout the engagement using our World Class Professionals and Subject Matter Experts
• High-quality deliverables finalised in a timely manner and in line with what agreed in the Statement of Work
• Deep insights and genuine value-add in all possible areas throughout the engagement (Systems Thinking)
• Provide progress updates and feedback as committed in the Statement of Work
• Respect all personal and professional development of client team members throughout the engagement

• Gap analysis findings
• List of required operational changes
• Controls and processes implementation roadmap
• Draft Statement of Work for proceeding into implementation, SOC 2 audit and reporting (if applicable)

Project based engagements operate on the basis of agreeing work and any outcomes or milestones for delivery in advance of commencement of any engagement in a ‘Statement of Work’. Prices are fixed for the agreed deliverables and should changes be required, these may incur changes to delivery costs. Payment for Project Based Engagements are agreed on a case-by-case basis, giving consideration to risk, contract value, client payment history, relationship longevity and duration.

• agile delivery
• business and it operational processes
• change management
• Cybersecurity Risk Assessment
• information security
• Network Security
• Technical Consultancy
• IT Transformation

• Organisational Agility & Effectiveness
• Process Effectiveness & Automation
• Purpose to Portfolio

• Business Services
• Financial Services
• Private Equity
• Technology
• Government and Public Services
• Media and Entertainment
• Transport and Logistics

• Data, Information & Security Management
• Operational Excellence
• Organisational Effectiveness & Agility