SOC-CMM forum

Full Version: SOC Assessment report deliverable for a customer
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I am conducting a SOC assessment for customer and SOC-CMM is a great help in asking right questions. Do you have any report/deliverable templates that I can use to craft a report ?
I do not have a template for such a report, but I can give you an outline:

1. Management summary. Always start with this
2. Background. Profide the assessment background. A bit of information of the company profile, its current SOC outline, the reason for doing an assessment (goals), and the ambitions of the SOC. The ambitions can be used to defined the target maturity level.
3. Methodology. How was the assessment conducted? e.g. time spent, methods for gathering of information, methods for analysis, models, additional information, etc.
4. Results. Provide the high-level results of the assessment. It helps to provide these results per domain to structure this chapter
5. Recommendations. The results provide information about the strengths and weaknesses of the SOC. This part looks at the results, finds underlying causes and provides recommendations on how to proceed. This can be detailed (e.g. create or modify the existing chapter to include several aspects) or more high-level (the span of control of the manager is too big, consider appointing team leads) or generic (documentation is missing or insufficient across the board)
6. Summary and conclusion. Summarize your findings and provide your overal conclusion
7. Annex: detailed results from the assessment (sheets provided seperately). You can also create a table mapping the findings to the recommendations an providing a score to prioritize these efforts. This score can be used to create a roadmap for improvement: tackle the items with highest priority first, and the items that these high-priority findings depend on (even if those have a lower priority). The roadmap can be part of the assessment, but it depends on the scoping of the assignment.

Note: also mention things that are going well. Assessors / auditors sometimes have a tendency to only focus on things that are not going well, which can give a much more negative impression than is actually the case.