top of page

Proven Methodology

Yucca TI Consulting has developed a proven coaching methodology. Regardless of the compliance program that is selected by the client, the approach is similar. All materials used by Yucca IT Consulting are documented with Microsoft Office 2016 products. Also, all materials are bilingual (French and English).

Gap analysis

Using a questionnaire of more than 200 questions, the client describes his

practices, processes and ways of doing things concerning technology

information.  All major areas of IT processes are affected by the

questionnaire. This questionnaire covers all well-known compliance


The controls matrix

As soon as the gap analysis questionnaire is completed intelligent

analysis is carried out with the tools developed by Yucca IT Consulting to

document the first matrix of controls. It's at this stage that there will be a

link between the gap analysis questionnaire and the customer's choice of


The controls matrix will be submitted to the customer for the customer to

accept all the controls described. The client will have the opportunity to

accept, refuse or change the wording of each control. The controls matrix becomes the master document of the entire compliance program. If needed, for a SOC 1, SOC 2 or CSAE 3416 report, Yucca IT Consulting will be able, at this stage, to help the client find an auditor who can sign this type of report.

The documentation of the IT processes

As soon as the controls matrix is accepted by the client, Yucca IT Consulting requires that a central directory be created (e.g. OneDrive, Google Drive, Egnyte, SharePoint, etc.). This working approach ensures that the entire work team can access all the documents and can minimize document transfer through emails.

Yucca IT Consulting has developed nearly 45 bilingual templates across all major compliances IT areas. If needed, the client will be able to buy them (between $25 and $75 per template). All templates developed by Yucca IT Consulting have the same graphic approach and already have the first customization based on the responses of the questionnaire completed by the client. The logo and the customer's name will appear on each template, and some paragraphs will already be customized. 

The implementation of the new processes and controls

Ideally, when the client documents new policies, guides or procedures, he works collegially with different work teams of the organization. Once the documentation is well established, it is imperative to ensure that new ways of doing things are well understood and applied at all times.

One of the big challenges of small companies, making sure that the controls put in place always applied in the same manner. Yucca IT Consulting guides the client during implementation so that the client avoids common pitfalls.

Implementing new processes and controls is probably the biggest challenge that customers face in a compliance process. Changing existing practices is never as simple as it may seem.

The awareness training

When the implementation of new processes and controls begins to be well integrated, it is an excellent time to train and educate all staff about new security practices. All employees must formally adhere to the security practices put in place.

They must attend an awareness training, and they must read the most important security policies and confirm their adherence.

Awareness is an important part of a compliance program. Yucca IT Consulting can help the client to prepare awareness training in relation to the security framework in place.

The SOC 1, SOC 2 or CSAE 3416 report documentation

For compliance programs involving SOC 1, SOC 2 and CSAE 3416, a standardized report is required. Yucca IT Consulting will be very involved in the drafting of the different reports. With the help of the organization's pilot, a full report ready for audit will be documented. This report may be provided to the selected auditor for audit.

The audit

If the client does not already have an auditor, Yucca IT Consulting will prepare all the documents so that the client can obtain proposals from different auditors.

Before the audit, Yucca IT Consulting will ensure that all documentation is completed and that all evidence has been placed in the central repository folders (e.g. OneDrive, GoogleDrive, Egnyte, SharePoint, etc.). If necessary, Yucca IT Consulting will be able to answer questions from auditors with the help of the organization's pilot.

Maintaining and monitoring

Once the audit is completed and the report or certificate issued, the client's challenge is to ensure that the processes and controls put in place work as described. To this end, Yucca IT Consulting will have established a self-assessment framework that the client can complete approximately six months after the audit.

This self-assessment will allow the client to detect gaps between the desired practices and the reality of the organization and, if necessary, action plans can be put in place to restore the desired practices.

Méthodologie conformité-Méthodologie SOC 2
bottom of page