Phase I: Conduct readiness assessment
The main goal of this phase is to identify any gaps of the existing technical and organizational controls of the Organization against the security requirements and best practises. Conducting a scoping and readiness assessment can help the Organization understand the operating environment, find deficiencies and areas of non-compliance with the TSC requirements and actions for improvement.
Phase II: Prepare appropriate evidences
The main goal of this phase is to assist Organization in the preparation of the missing evidences and controls required by the AICPA TSC. Specifically, the following actions will be conducted:
- Prepare missing Security Policies & Procedures based on the Phase I results
- Guide authorized Organization employees in order to implement the appropriate mitigation actions for any missing control required by the AICPA TSC
- Monitor and Review the corrective actions required based on the Phase I results
Phase III: Risk Assessment
The main goal of this phase is the identification and evaluation of risks that Organization faces. In order to achieve this, a detailed risk assessment will be conducted based on the ISO 27005 Risk Assessment methodology via the STORM tool.
Specifically, an assessment and evaluation of each asset will be conducted, in order to define the impact on its Availability and/or Confidentiality and / or Integrity, in the event of loss of security. For that reason, different types of impacts (e.g. financial, legal, operational, etc.) will be considered that could come up as a result from the Company’s loss of data and information security.
To this end, specially formulated questionnaires will be used, in which the involved parties will be invited to give their assessments from their own perspective, using the Impact Assessment Scale of the methodology.
At the same time, the identification and evaluation of threats and vulnerabilities for each IT asset will be carried out with the use of electronic questionnaires. For each asset, depending on its type, threat groups (e.g. natural threats, technological threats, environmental threats, data tampering attacks, etc.) will be mapped and a threat and vulnerability assessment will be assessed, in accordance with the methodology scale. After completing the previous steps and calculating the respective Impact (I), Threat (T) and Vulnerability (V) Levels for each asset (A), the Risk Level (R) will be calculated using the Risk Assessment Scale. Finally, a series of proposed countermeasures (based on ISO 27001) will be specified to reduce the level of risk per IT asset.
Phase IV: Internal Audit
Internal Audits will be conducted in this Phase, in order to ensure the compliance with the policies and procedures as well as with the SOC 2 TSC requirements. If any non-compliance is found, the consultants will propose and contribute to their immediate settlement by the company. Specifically, the purpose of this phase is to:
- confirm that the Organization conforms with the requirements of the SOC 2 TSC
- confirm that the Organization has effectively implemented the planned security controls
- identify any grey areas that need further protection.
Phase V: Support During the External Audit
The consultants will assist Organization’s personnel during the external audits, as well as guide them in order to justify the appropriate corrective actions that may requested by the External Auditors.