SOC for Cybersecurity

PRIMARY CONTACTS: John Popies CPA (Pittsburgh), Eric Wright CPA, CITP (Pittsburgh), Donald Owens CPA, CITP, CIA, CFF, CBA, CFSA, CRMA (Columbus)

A SOC for Cybersecurity Report is an examination that provides stakeholders with information regarding an organization’s cybersecurity risk management program. The AICPA has developed a reporting framework to assist organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs. The report provides a means for organizations to demonstrate that they are effectively managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from organization breaches and other security events. 

Benefits of a SOC for Cybersecurity Report

Organizations that undergo a SOC for Cybersecurity examination will obtain a report on the effectiveness of their cybersecurity risk management program from an independent CPA firm.  The report can be presented to your board of directors, analysts and investors, business partners, industry regulators and customers and will demonstrate that your organization has effective cybersecurity controls in place to achieve your organization’s cybersecurity objectives.

Potential users of a SOC for Cybersecurity report (and how the user will benefit from one) inlcude:

  • Members of the board of directors: They may require information about the cybersecurity risks an organization faces and the cybersecurity risk management program that the management implements to help them fulfill their oversight responsibilities. They may also want information from independent third-party assessors that will help them evaluate management's effectiveness in managing cybersecurity risks.
  • Analysts and investors: A SOC for Cybersecurity report is intended to help them understand the cybersecurity risks that could threaten the achievement of an organization’s operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the an organization’s value and stock price.
  • Business partners: They may require information about an organization’s cybersecurity risk management program as part of their overall risk assessment. This information is intended to help business partners determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to your organization.
  • Customers and industry regulators: They may benefit from information about an organization’s cybersecurity risk management program to support their oversight role.

Contents of a SOC for Cybersecurity Report

The SOC for Cybersecurity report includes the following:

  • Management's description of the entity's cybersecurity risk management program - This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity's information assets against those risks.
  • Management’s Assertion – The assertion addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives based on the control criteria.
  • Practitioner’s Report – Contains the CPA’s opinion that addresses whether the description is presented in accordance with the description criteria and whether the controls within the entity's cybersecurity risk management program were designed appropriately and operated effectively to achieve the entity's cybersecurity objectives based on the control criteria.

Contents of the Description Within the SOC for Cybersecurity Report

The following areas are included in the description of an entity’s cybersecurity risk management program.  Within each of these areas, specific description criterion (not listed below) are included that must be met as part of the entity’s system description.

  • Nature of the entity’s business and operations
  • Nature of the information at risk
  • The entity’s cybersecurity risk management program objectives
  • Factors that have a significant effect on the entity’s inherent cybersecurity risks
  • The entity’s cybersecurity risk governance structure
  • The entity’s cybersecurity risk assessment process
  • The entity’s cybersecurity communications and quality of cybersecurity information
  • Monitoring of the cybersecurity risk management program
  • The entity’s cybersecurity control processes

Types of SOC for Cybersecurity Reports

Unlike a SOC 1 and SOC 2 report, there are not different types of SOC for Cybersecurity reports.  However, if circumstances are appropriate, practitioners can perform a design-only cybersecurity risk management examination.  A design-only examination includes a practitioner’s opinion on whether the description is fairly sated and whether the controls within the entity's cybersecurity risk management program were suitably designed.  In most circumstances, the SOC for Cybersecurity report will include the design and operating effectiveness of controls within the scope of the report.

To learn more about SOC for Cybersecurity, please visit the Our Thoughts On blog...and read our article "SOC for Cybersecurity Reports: Overview and Comparison to SOC 2 Reports."

Click here to read about the other types of SOC examinations and the overall SOC Practive at Schneider Downs.