SOC 2 Readiness | Risk Crew

What Our Customers Say About the Service

“A very positive experience. Risk Crew staff were friendly and professional throughout the engagement, keeping me informed and addressing all concerns in a timely manner. I won’t hesitate to recommend Risk Crew or use them for future engagements.”

Healthcare Industry Customer

“The directness and honesty when engaging with Risk Crew has always been a pleasure. This, combined with his vast in-depth understanding, and constant commitment ensures that beautiful solutions can be delivered in a timely and scalable manner, marks them out among their competition.”

Media Industry Customer

“All of the team at Risk Crew are very professional, friendly and knowledgeable. Over the past 6+ years their Cyber Security expertise has been invaluable and their helpful and flexible approach has harmonised with our requirements.”

Information Technology Industry Customer

5-Step Approach

Step 1

Review of Current Controls: First, Risk Crew will review the current controls you have implemented to ensure the security, availability confidentiality, processing integrity and privacy (known collectively as Trust Service Criteria or TSC).
Assessment of Controls: Controls are assessed for effectiveness and documented beside the applicable key performance indicators. The results indicate the quickest route to a successful audit.

Step 2

Based upon the above findings, Risk Crew shall then recommend the specific TSC to be validated in the audit and confirm this with you. At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected depend upon your business requirements.

The Trust Services Criteria are selected from the following:

Security: The system is protected against unauthorised access (both physical and logical). The system is protected from unauthorised access — both physical and logical. Examples of commonly examined SOC 2 security controls are logical access to infrastructure and vital systems such as source code repositories. Additionally, this could include password parameters, network devices configurations, firewalls and physical security controls that protect key infrastructure.
Availability: The system is accessible for operation and use as intended and agreed. The accessibility criteria require that the organisation have documented business continuity and disaster recovery plan and procedures. Additionally, it requires periodic backups and recovery tests.
Confidentiality: Information, which is designated as ‘Confidential’ is protected according to policy or agreement. Confidentiality criteria are often mistaken with privacy criteria. Most organisations have a requirement to protect Confidential information that is shared with them by other companies they do business with such as the protection of intellectual property.
Processing Integrity: System processing is complete, accurate, and authorised. Processing integrity is not involved within SOC 2 as often as the availability and confidentiality TSCs. Processing integrity is usually addressed in systems that process transaction such as payments.
Privacy: The privacy criteria should be considered when ‘personal information’ is processed, stored or transmitted by the system. It is imperative to note that the privacy criteria applies to personal information. This differs from the confidentiality criteria, which applies to other types of sensitive information.

Step 3

- - Identify Controls: Identify and document the policy reference that mandates the control, the applicable SOC 2 TSC, the actual control used to ensure the criteria is met, the control’s objective and key performance indicators and associated testing procedures used to verify the effectiveness of the control over time.
  - Mapping: By clearly depicting the relationship between policies and testing you will be able to provide clear evidence that SOC 2 TSCs are being met to your Auditor. Connecting the dots in this way simplifies and streamlines the Auditor’s work providing the essential data needed for the report.

Step 4

- - Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, Risk Crew shall recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We will also recommend controls that are most effective in the people, process or technology.
  - Recommendations: Risk Crew shall provide a recommended policy statement, the applicable TSC, a control, a control objective, KPI and testing procedures to be included in the map described above.

Step 5

Upon completion of the first four steps, Risk Crew shall conduct a workshop with your business’ stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.

Be 100% Prepared with Our Proven Track Record + 30 Years of Experience

Demonstrate Your Commitment to Security

Assurance customers that you have taken measures to secure your systems and protect their data.

Get a Competitive Advantage

Get a competitive advantage over organisations without SOC 2. Attain growth in the US.

Improve Your Security Posture

Validate that your systems and networks are secure to protect against security breaches.

Gain Operating Effectiveness

SOC 2 Type II requires 6 months of evidence and testing of the operating effectiveness, which ensures you are maintaining an efficient information security control environment.

Contact a SOC 2 Expert for a Quote or Consultation

Why Choose Risk Crew

Risk Crew has 30 years of hands-on skills and experience in successfully implementing cost-effective — security risk management compliance frameworks. All of our services come with our 100% satisfaction guarantee.