SOC for Cybersecurity

A SOC for Cybersecurity Report is an examination that provides stakeholders with information regarding an organization's cybersecurity risk management program. The AICPA has developed a reporting framework to assist organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs. The report provides a means for organizations to demonstrate that they are effectively managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from organization breaches and other security events.

Benefits of a SOC for Cybersecurity Report

Organizations that undergo a SOC for Cybersecurity examination will obtain a report on the effectiveness of their cybersecurity risk management program from an independent CPA firm. The report can be presented to your board of directors, analysts and investors, business partners, industry regulators and customers and will demonstrate that your organization has effective cybersecurity controls in place to achieve your organization's cybersecurity objectives.

Potential users of a SOC for Cybersecurity report (and how the user will benefit from one) inlcude:

  • Members of the board of directors: They may require information about the cybersecurity risks an organization faces and the cybersecurity risk management program that the management implements to help them fulfill their oversight responsibilities. They may also want information from independent third-party assessors that will help them evaluate managements effectiveness in managing cybersecurity risks.
  • Analysts and investors: A SOC for Cybersecurity report is intended to help them understand the cybersecurity risks that could threaten the achievement of an organization's operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the an organization's value and stock price.
  • Business partners: They may require information about an organization's cybersecurity risk management program as part of their overall risk assessment. This information is intended to help business partners determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to your organization.
  • Customers and industry regulators: They may benefit from information about an organization's cybersecurity risk management program to support their oversight role.

Contents of a SOC for Cybersecurity Report

The SOC for Cybersecurity report includes the following:

  • Management's description of the entity's cybersecurity risk management program - This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity's information assets against those risks.
  • Management's Assertion - The assertion addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.
  • Practitioner's Report - Contains the CPA's opinion that addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were designed appropriately and operated effectively to achieve the entity's cybersecurity objectives based on the control criteria.

Contents of the Description Within the SOC for Cybersecurity Report

The following areas are included in the description of an entity's cybersecurity risk management program. Within each of these areas, specific description criterion (not listed below) are included that must be met as part of the entity's system description.

  • Nature of the entity's business and operations
  • Nature of the information at risk
  • The entity's cybersecurity risk management program objectives
  • Factors that have a significant effect on the entity's inherent cybersecurity risks
  • The entity's cybersecurity risk governance structure
  • The entity's cybersecurity risk assessment process
  • The entity's cybersecurity communications and quality of cybersecurity information
  • Monitoring of the cybersecurity risk management program
  • The entity's cybersecurity control processes

Types of SOC for Cybersecurity Reports

Unlike a SOC 1 and SOC 2 report, there are not different types of SOC for Cybersecurity reports. However, if circumstances are appropriate, practitioners can perform a design-only cybersecurity risk management examination. A design-only examination includes a practitioner's opinion on whether the description is fairly sated and whether the controls within the entitys cybersecurity risk management program were suitably designed. In most circumstances, the SOC for Cybersecurity report will include the design and operating effectiveness of controls within the scope of the report.

To learn more about SOC for Cybersecurity, please visit the Our Thoughts On blog...and read our article "SOC for Cybersecurity Reports: Overview and Comparison to SOC 2 Reports."

Click here to read about the other types of SOC examinations and the overall SOC Practive at Schneider Downs.

A SOC for Cybersecurity Report is an examination that provides stakeholders with information regarding an organization's cybersecurity risk management program. The AICPA has developed a reporting framework to assist organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs. The report provides a means for organizations to demonstrate that they are effectively managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from organization breaches and other security events.

Benefits of a SOC for Cybersecurity Report

Organizations that undergo a SOC for Cybersecurity examination will obtain a report on the effectiveness of their cybersecurity risk management program from an independent CPA firm. The report can be presented to your board of directors, analysts and investors, business partners, industry regulators and customers and will demonstrate that your organization has effective cybersecurity controls in place to achieve your organization's cybersecurity objectives.

Potential users of a SOC for Cybersecurity report (and how the user will benefit from one) inlcude:

  • Members of the board of directors: They may require information about the cybersecurity risks an organization faces and the cybersecurity risk management program that the management implements to help them fulfill their oversight responsibilities. They may also want information from independent third-party assessors that will help them evaluate managements effectiveness in managing cybersecurity risks.
  • Analysts and investors: A SOC for Cybersecurity report is intended to help them understand the cybersecurity risks that could threaten the achievement of an organization's operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the an organization's value and stock price.
  • Business partners: They may require information about an organization's cybersecurity risk management program as part of their overall risk assessment. This information is intended to help business partners determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to your organization.
  • Customers and industry regulators: They may benefit from information about an organization's cybersecurity risk management program to support their oversight role.

Contents of a SOC for Cybersecurity Report

The SOC for Cybersecurity report includes the following:

  • Management's description of the entity's cybersecurity risk management program - This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity's information assets against those risks.
  • Management's Assertion - The assertion addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.
  • Practitioner's Report - Contains the CPA's opinion that addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were designed appropriately and operated effectively to achieve the entity's cybersecurity objectives based on the control criteria.

Contents of the Description Within the SOC for Cybersecurity Report

The following areas are included in the description of an entity's cybersecurity risk management program. Within each of these areas, specific description criterion (not listed below) are included that must be met as part of the entity's system description.

  • Nature of the entity's business and operations
  • Nature of the information at risk
  • The entity's cybersecurity risk management program objectives
  • Factors that have a significant effect on the entity's inherent cybersecurity risks
  • The entity's cybersecurity risk governance structure
  • The entity's cybersecurity risk assessment process
  • The entity's cybersecurity communications and quality of cybersecurity information
  • Monitoring of the cybersecurity risk management program
  • The entity's cybersecurity control processes

Types of SOC for Cybersecurity Reports

Unlike a SOC 1 and SOC 2 report, there are not different types of SOC for Cybersecurity reports. However, if circumstances are appropriate, practitioners can perform a design-only cybersecurity risk management examination. A design-only examination includes a practitioner's opinion on whether the description is fairly sated and whether the controls within the entitys cybersecurity risk management program were suitably designed. In most circumstances, the SOC for Cybersecurity report will include the design and operating effectiveness of controls within the scope of the report.

To learn more about SOC for Cybersecurity, please visit the Our Thoughts On blog...and read our article "SOC for Cybersecurity Reports: Overview and Comparison to SOC 2 Reports."

Click here to read about the other types of SOC examinations and the overall SOC Practive at Schneider Downs.

case studies

 
big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
 
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

our thoughts on

Five Questions to Assist With Identifying SOC Report Scope

The SOC reporting process can start with an organization’s desire to communicate to customers and potential customers that the organization’s

read more >

SOC 2 Reports: Common Control Exceptions and How to Avoid Them

In performing SOC 2 examinations, we often come across the same types of control exceptions. To assist organizations with avoiding these exceptions, we’ve

read more >

SOC 2 Examinations - What Are the Trust Services Criteria and Categories?

The 2017 Trust Services Criteria (TSC), which superseded the 2016 Trust Services Principles and Criteria (TSPC), serves as the control criteria for attestation

read more >

How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization

In a previous article, we described the differences between SOC 1 reports and SOC 2 reports. Once an organization decides to pursue a SOC 1 or SOC 2 report,

read more >

SOC Report Refresher: What Are the Different Types of SOC Reports?

The rise of cloud computing has played a key role with businesses that outsource certain functions to service organizations. Since such organizations are

read more >

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102