During the pre-assessment phase, your auditor will read and understand your organization’s cybersecurity risk management program. After, the auditor will work with you to map your existing cybersecurity risk management program to specific criteria. This is where the auditor will turn into a guide and assist you in identifying any gaps within the cybersecurity risk management program documentation and suggest proper remediation in order to fill these gaps. The pre-assessment objective is to get the organization SOC ready. This phase can last a few months or can even take over a year. It all depends on how strong the organization’s cybersecurity risk management program is prior to the pre-assessment phase.
Even if your organization does not have a cybersecurity risk management program in place prior to pre-assessment, your auditor will guide you in the creation of a cybersecurity risk management program tailored to your organization.