Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Compliance Readiness / SOC2 – ISMS Implementation
157SOC2II Base

SOC2 – ISMS Implementation

On this page

    Service Overview

    Many businesses have a significant amount of investment in IT and information security and place substantial emphasis on protecting sensitive and private information while ensuring service availability and integrity. In order to further mature their information security posture and to demonstrate their commitment to protecting the security and privacy of stakeholder information, organizations are implementing a SOC 2 Type 2 compliant Information Security Management System.


    The DeepSeas Platinum package for SOC2 implementation is defined as the Readiness Process. It is a compilation of policies, standards, templates, and guidance for successful compliance.

    Objectives

    The objectives of this initiative are as follows:

    • Achieve SOC 2 Type 2 report.
    • Meet the spirit and intent of numerous information security or privacy-related compliance requirement under one common program framework, or Information Security Management System (ISMS).
    • Validate the ISMS is effectively implemented, maintained, and continually improving
    • Strategically build over time, (establish momentum via quick wins, but keep moving forward, providing significant cost savings).
    • Leverage the truth/transparency as a component of the Client's information security program strategy.

    Methodology

    This solution consists of the following:

    1. PROJECT MANAGEMENT
      1. DeepSeas Resources
        1. Security Program Manager (SPM)
      2. Projects are planned, executed, and closed using the following steps:
        1. Initialization / Initiation 
          1. A meeting with project stakeholders and DeepSeas delivery resources to align on project objectives, timelines, and deliverables. 
        2. Pre-Requisites / Planning 
          1. Collection of all necessary information needed to execute the project.
        3. Service Delivery / Execution 
          1. Execution of the project and in-scope activities, including:
          2. Workshops, interview sessions, office hours, scanning, testing, training, and other in-scope project-specific work.
        4. Project Close / Close Out
          1. Review and approve of deliverables.
          2. Project close.
    2. GAP ASSESSMENT
      1. PLANNING - Preparation necessary to conduct an effective assessment, including:
        1. Scope Definition - Identifying the assets that will be the focus of the assessment, including people, process, and technology;
        2. Schedule Development - Scheduling, project plan creation, and resource identification.
      2. ASSESSMENT - Evaluation of controls applied to the assets defined in the Planning phase, including:
        1. Interviews - Interviews with Subject Matter Experts, business leaders, and other parties with knowledge of Client's cybersecurity controls;
        2. Artifact Analysis - Evaluation of policies, procedures, plans, reports, logs, and other artifacts.
      3. DOCUMENTATION - Documentation of all deliverables, including:
        1. Summary Findings - An executive summary of the process and findings;
        2. Detailed Findings - A complete inventory of assessed controls and documentation of gaps;
        3. Detailed Recommendations - A high-level set of recommendations to work toward compliance.
      4. PRESENTATION - Presentation of findings to the Client.
    3. GUIDED DOCUMENTATION DEVELOPMENT
      1. DEVELOPMENT
        1. DeepSeas will provide documentation templates to the Client and advise on initial development.
        2. DeepSeas will review documentation edits and accept all documents that align with SOC 2 standards. Documents that require additional edits will be addressed through scheduled working sessions.
        3. DeepSeas will conduct working sessions for the duration and frequency defined in the scope.
      2. STATUS MEETINGS
        1. DeepSeas will host regular status meetings to validate documentation tasks are on track and to address questions the Client may have regarding documentation development.
        2. DeepSeas will conduct status meetings for the duration and frequency defined in the scope.
    4. ASSET GATHERING & RISK ASSESSMENT
      1. INTERVIEW SCHEDULE
        1. The client will identify the departments and stakeholders required to attend interview sessions and a risk workshop by completing the interview schedule provided by DeepSeas.
      2. ASSET INVENTORY DEVELOPMENT
        1. The client will develop an asset inventory with associated risk profiles to conduct the risk assessment. DeepSeas will consult on mapping assets to the risk workbook and the creation of risk profiles.
      3. RISK WORKSHOP
        1. DeepSeas to conduct a risk workshop with ISMS Manager & risk owners, as defined in the interview schedule, to evaluate vulnerabilities and quantify risks for all asset categories.
        2. Each vulnerability/weakness will be assessed on:
          1. Likelihood of a measurable event occurring from vulnerability exploit, and;
          2. Potential Impacts from vulnerability exploit.
        3. Vulnerability/weaknesses will be prioritized based on risk to the organization.
      4. DOCUMENTATION
        1. DeepSeas will develop a formal Risk Assessment Report.
      5. PRESENTATION
        1. DeepSeas will schedule a call with the Client to review all deliverables as part of the engagement.
    5. READINESS AUDIT
      1. PLANNING: Preparation necessary to conduct an effective readiness audit, including:
        1. Scope Definition - Review the audit's objectives, scope, criteria, and procedures as defined by the Client. In the event these audit attributes are not defined, the lead auditor will define these for approval from the Client's IT management.
        2. Schedule Development - Review and agree on the audit schedule (dates, time, and places)
      2. ENGAGEMENT: Conduct the opening meeting while communicating and clarifying the following:
        1. Audit Plan including audit objective, audit scope, language, audit criteria including standards, regulatory, contractual, legal requirements;
        2. Communication channels, roles, and responsibilities;
        3. The audit process for collecting and verifying objective evidence;
        4. Generating and reporting of audit findings and conclusions including grading of non-conformities;
        5. Information about conditions under which the audit may be terminated;
        6. Information about an appeal system on the conduct or conclusions of the audit
      3. AUDIT: Perform the audit through:
        1. Review of previous audit findings (if any) and corrective actions;
        2. Review of ISMS standards, processes, procedures, specifications, contracts, and other relevant documentation;
        3. Interviews with identified staff with audit findings summarized and agreed upon amongst the auditees;
        4. Review of verifiable objective evidence or records to demonstrate compliance with documented policies, standards, and processes (Note: Evidence will be collected by appropriate sampling and must be verified);
        5. Preparing work documents such as checklists and sampling plans.
        6. Review of on-boarding and off-boarding
        7. Access reviews, procedures, physical controls, compliance requirements.
      4. PRESENTATION: Conduct Closing Meeting:
        1. Evaluate the audit evidence against the audit criteria to generate audit findings. Audit findings will indicate non-conformities with audit criteria and opportunities for improvement.
        2. The audit findings and conclusions will be presented in a manner that is understood and acknowledged by the Client auditees and, if appropriate, agree upon the timeframe for corrective action.

    Deliverables

    DeepSeas will produce the following deliverables:

    1. COMMUNICATION PLAN - DeepSeas will build and maintain a communication plan to:
      1. Identify DeepSeas points of contact for projects planning/updates and escalation.
      2. Identify client points of contact for project planning/updates and escalation.
    2. GAP ASSESSMENT
      1. SUMMARY FINDINGS - DeepSeas will deliver a report summarizing the findings of the initiative.
    3. GUIDED DOCUMENTATION DEVELOPMENT
      1. SOC 2 Documentation Templates
    4. ASSET GATHERING & RISK ASSESSMENT
      1. RISK ASSESSMENT REPORT - DeepSeas will deliver a risk assessment report with details pertinent to identified risks and the recommendations for remediation.
    5. READINESS AUDIT
      1. READINESS AUDIT REPORT - DeepSeas will provide a SOC 2 Readiness Audit Report to address:
        1. The extent of conformity of the management system with the audit criteria;
        2. The effective implementation, maintenance, and improvement of the management system;
        3. Audit follow-up as needed;
        4. Corrective and Preventive Actions
        5. Corrective Action Form Approval

    Client Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.
    3. Where applicable, Client to return completed interview schedule within two (2) weeks of initialization meeting.

    Deepseas Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.
    3. Where applicable, Client to return completed interview schedule within two (2) weeks of initialization meeting.