SOC2 – Gap Assessment

Many businesses face security and privacy compliance requirements. Understanding the path to compliance can be difficult and a lack of clarity can lead to controls that are too expensive, overbearing, or on the opposite end of the spectrum, simply not adequate or reasonable. These gaps may cause minor inconveniences or significant damages and they may result in severe financial penalties, loss of public trust, and damage to corporate reputation.

A Gap Assessment provides the basic insight necessary to formulate a reasonable action plan and path to compliance, while considering the unique organizational environment, including people, processes, and technology. Because compliance is not optional, understanding gaps, documenting and communicating them, and building a corrective action plan should be performed to an adequate and reasonable level.

This Gap Assessment will provide a comprehensive evaluation of the Client's compliance and a plan for effectively mitigating those gaps.

The objectives of this initiative are as follows:

• Perform a current state analysis
• Identify and document gaps in accordance with applicable laws and regulations
• Initiate the Compliance Program
• Prepare for risk-based prioritization of control implementation

This Gap Assessment consists of the following phases:

1. PLANNING - Preparation necessary to conduct an effective assessment, including:
   1. Scope Definition - Identifying the assets that will be the focus of the assessment, including people, process, and technology;
   2. Schedule Development - Scheduling, project plan creation, and resource identification.
2. ASSESSMENT - Evaluation of controls applied to the assets defined in the Planning phase, including:
   1. Interviews - Interviews with Subject Matter Experts, business leaders, and other parties with knowledge of the Client's cybersecurity controls;
   2. Artifact Analysis - Evaluation of policies, procedures, plans, reports, logs, and other artifacts.
3. DOCUMENTATION - Documentation of all deliverables, including:
   1. Gap Assessment Report - A summarized findings report of all identified gaps.
4. PRESENTATION - Presentation of findings to the Client.

DeepSeas will produce the following deliverables:

1. GAP ASSESSMENT REPORT - DeepSeas will deliver a report summarizing the findings of the initiative.

cThe client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
2. The client is responsible for scheduling and coordination of internal client resources for all project work.