Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Methodology

Methodology — SOC 2 Type I & Type II Readiness

Our SOC 2 Type I & Type II Readiness methodology is built on five repeatable phases refined across hundreds of engagements in the UAE, KSA, India and Africa. Each phase produces signed-off artefacts that carry forward into the next.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Guiding principles

  • Risk-led, not checklist-led — every control traces back to a business risk.
  • Evidence-first delivery — every workshop ends with an artefact in your repository.
  • Local context — Arabic, English and Hindi delivery, local regulator relationships.
  • Single source of truth — one risk register, one control set, many audits.
Principles applied to every engagement

Checklist titled "Principles applied to every engagement" with 4 items, every item marked complete: Risk-led, not checklist-led; Evidence-first delivery; Local context; Single source of truth.

  • Risk-led, not checklist-led
  • Evidence-first delivery
  • Local context
  • Single source of truth

Phase 1. Scoping

Select TSC categories and define system description.

  • Defined entry and exit criteria captured in the engagement charter
  • Weekly progress reporting against an agreed traffic-light scorecard
  • Outputs reviewed by a Lead Auditor before sign-off
  • Lessons captured to refine the next Compliance & Certification engagement
SOC 2 Type I & Type II Readiness delivery phases

Process flow diagram titled "SOC 2 Type I & Type II Readiness delivery phases" with 5 sequential steps: Scoping; Readiness Assessment; Control Build; Type I Audit; Type II Observation.

  1. Scoping
  2. Readiness Assessment
  3. Control Build
  4. Type I Audit
  5. Type II Observation

Phase 2. Readiness Assessment

Gap analysis with prioritised remediation roadmap.

  • Stakeholder interviews across business, IT, security, legal and audit
  • Document and tooling review against the applicable control set
  • Heatmap of current-state maturity by domain
  • Prioritised remediation backlog with effort and owner estimates

Phase 3. Control Build

Policy, process and tooling implementation.

  • Hands-on rollout with control owners — not slide-only consulting
  • Awareness training delivered in English, Arabic and Hindi as needed
  • Evidence captured in a single repository against each control
  • Weekly burn-down against the remediation backlog

Phase 4. Type I Audit

Point-in-time audit support.

  • Internal audit dry-run with formal findings register
  • Management review with executive sponsor
  • External audit liaison and observation room support
  • Findings closure plan with target dates and owners

Phase 5. Type II Observation

3 to 12 month observation window with evidence review.

  • Defined entry and exit criteria captured in the engagement charter
  • Weekly progress reporting against an agreed traffic-light scorecard
  • Outputs reviewed by a Lead Auditor before sign-off
  • Lessons captured to refine the next Compliance & Certification engagement

Quality gates

Each phase ends with a formal gate review attended by the engagement partner, your sponsor and any second-line stakeholders. No phase closes until the gate criteria are documented and signed off.

  • Gate 1 — scope, RACI and risk appetite formally agreed.
  • Gate 2 — control design reviewed and approved by your security committee.
  • Gate 3 — evidence pack independently sampled before audit submission.
  • Gate 4 — post-audit lessons-learned and continuous improvement plan signed off.
Four quality gates per engagement

Process flow diagram titled "Four quality gates per engagement" with 4 sequential steps: Gate 1; Gate 2; Gate 3; Gate 4.

  1. Gate 1
  2. Gate 2
  3. Gate 3
  4. Gate 4
Next: Deliverables