A Data Analytics start-up required a re-structuring of tech and non-tech operations to set themselves ready for a SOC 2 Type 2 audit and aim to receive an attestation report that leadership could then use in conversations with potential customers as well as investors.

The challenge presented was to keep the organisation flat, without having to setup dedicated functions such as HR, Operations and Compliance Management, therefore retaining overall business agility while structuring all the required controls.

The end-to-end engagement was purposely split into two separate phases; 1st phase completed in 4 weeks, while 2nd phase had a lead time of 8 months to include a 3-month-long review period by the auditor.

Phase #1: Gap Analysis & Roadmapping

1. Kick Off meeting
2. Functional assessment
3. Procedural assessment
4. Listing of mission-critical tech vendors
5. Listing of tools
6. Security posture assessment
7. Evaluation of external SOC 2 auditors
8. Gap analysis
9. SOC 2 attestation plan/roadmap

Phase #2: Development of Controls & Evidence

1. Initiation & Setup
2. Appointment of the independent reviewer/auditor
3. SOC 2 Readiness Build
4. Readiness Assessment & Fieldwork
5. Readiness Review & Remediation
6. Type 2 Audit & Fieldwork
7. Final Type 2 Audit Report Review

• Gap analysis of existing controls and documentation relevant to a future SOC 2 audit.
• Transformation of business operations across Product Development, Engineering, HR.
• Development of technology-based and procedural controls relevant to Information Security, People Management and operational governance.
• SaaS implementation of a Managed Security Awareness Training (MSAT) programme so that all employees are regularly tasked to carry out training and online refresher courses around cyber threats as well as protection of sensitive and personal data.
• SaaS implementation of an Endpoint Detection & Response (EDR)  platform with Threat Intelligence to detect and isolate all suspicious activities running on any of the company workstations.

• Full set of documented procedures developed, reviewed, submitted for consumption to all staff and ultimately accepted by the auditor.
• Roll-out of the new MSAT programme based on KnowBe4 technology platform.
• Security Awareness Training completed by all staff (including C-suite team members).
• Roll-out of SentinelOne Singularity EDR platform integrated with the ticketing system to generate incidents requiring investigation and resolution.
• SOC 2 audit + review period completed with all required evidence submitted and accepted; the company received their Attestation Report released by the independent auditor proving the operational alignment with SOC 2 (Type 2) requirements.

• Business & Operational Analysis
• Business Change Management & Communication
• Business Continuity
• compliance

• BI & Analytics
• Process Effectiveness & Automation
• Organisational Agility & Effectiveness

• Technology