The rise and institutionalization of cyber-attacks and data breaches within the corporate landscape has justifiably resulted in an atmosphere of reduced trust among business entities and consumers. Risk management and cybersecurity are consistently listed as top concerns among board of directors and executive management teams. Investors, regulators, business partners, etc. are increasingly requiring validated information regarding an organization’s cybersecurity risk management practices to successfully execute on their own risk management and oversight responsibilities. This environment led the Association of International of Certified Professional Accountants (AICPA) to create the SOC for Cybersecurity examination report.
Intent of the SOC for Cybersecurity
The SOC for Cybersecurity report is intended to enable an organization to broadly communicate information regarding its cybersecurity risk management program. The report content is independently examined by a certified public accountant (CPA) who provides an opinion on certain assertions made by management in the report, including assertions regarding the design and effectiveness of controls supporting the cybersecurity risk management program. The SOC for Cybersecurity is a voluntary and very flexible framework intended to meet the market need for a common language to report and evaluate cybersecurity risk management practices and controls. The report content is documented at a high enough level to allow it to be distributed freely by management and used by anyone who may find its contents relevant to their interactions with the reporting organization.
Content of the SOC for Cybersecurity Report
The foundation of the SOC for Cybersecurity report consists of a description of the organization’s cybersecurity risk management program. The AICPA defines the cybersecurity risk management program as “the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.” This description also forms the bulk of the report content and the basis of the auditor’s examination. A SOC for Cybersecurity report is presented in three primary sections:
- Management’s Assertion
- The Independent Accountant’s Report
- Management’s Description of its Cybersecurity Risk Management Program.
If you are familiar with other common SOC reporting frameworks, like SOC 1 and SOC 2, you will notice there is no fourth section containing a detailed list of the entity’s control activities and the auditor’s tests of the controls. This is due to the unrestricted nature of a SOC for Cybersecurity report. Because the report can be distributed freely by management, the detailed list of controls is excluded to avoid misinterpretation by an uninformed user of the report.
While there are three sections to the report, there are only two subject matters that are examined and reported upon by the independent CPA:
- The description of the entity’s cybersecurity risk management program; and
- The effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
The Description of the Cybersecurity Risk Management Program
Management of the entity is responsible for presenting the description of its cybersecurity risk management program in alignment with predetermined criteria. The AICPA has established Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program to aid in this presentation of the description. One great benefit to the SOC for Cybersecurity is its flexibility in presentation. While the AICPA offers its own criteria to assist in the presentation of the description, alternative criteria may be utilized if desired by management (i.e. ISO 27001, NIST CSF, etc.). Management may also decide to either report on a cybersecurity risk management program in its entirety, or just a portion of the entity-wide program. An experienced CPA firm or consultant should be able to assist with the presentation of your cybersecurity risk management program and its alignment with description criteria. While it is advised to seek assistance in drafting the description of a cybersecurity risk management program prior to undergoing an examination, ultimately responsibility for the content and underlining procedures rests with management.
Once the description of the cybersecurity risk management program is prepared, management makes assertions regarding the description to be presented in the first section of the report. These assertions include that management has established the entity’s cybersecurity objectives, risks have been identified that could prevent those objectives from being achieved, and controls have been designed, implemented, and in operation to address those risks. Management should also assert that an evaluation of the design and effectiveness of controls was performed based on predetermined control criteria and whether or not, based on this evaluation, controls operated effectively to achieve its cybersecurity objectives. Even though detailed lists of controls are not presented within the SOC for Cybersecurity report, the entity’s controls are still evaluated by the independent accountant and therefore criteria must be adopted for those controls to be effectively evaluated. The AICPA recommends the adoption of the security, availability, and confidentiality criteria originally established for SOC 2 examinations within its publication TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Note that they do not include the processing integrity or privacy categories in the recommended control criteria. An examination on a cybersecurity risk management program is not designed to enable an auditor to express an opinion on criteria specific to processing integrity or privacy concerns (even though the controls examined may assist in the achievement an entity’s processing integrity or privacy objectives). Similar to the description criteria, there is flexibility allowed in the control criteria used. Management can choose any control criteria it determines appropriate for the evaluation of its cybersecurity risk management program (i.e. ISO 27001, NIST 800-53, CIS, etc.).
Independent Accountant’s Report
Accompanying Management’s Assertion and the Description of the Cybersecurity Risk Management Program is the Independent Accountant’s Report. Here the independent CPA firm performing the examination presents their opinion on:
- whether the description of the cybersecurity risk management program was presented in accordance with the description criteria.
- the effectiveness of the controls within that program throughout the specified period in achieving the entity’s cybersecurity objectives based on the specified control criteria.
The opinion provided by an independent CPA is what makes SOC reports such trusted platforms to convey relevant information and controls to an organization’s stakeholders.
Difference Between SOC for Cybersecurity and SOC 2
On the surface the SOC for Cybersecurity may seem very similar to the popular SOC 2 reporting framework, however, there exist a few fundamental differences between the SOC for Cybersecurity and the SOC 2. The first, and arguably the most important difference is that the SOC for Cybersecurity is not just designed for service-based organizations. Any organization within any industry could leverage a SOC for Cybersecurity report to convey details of their cybersecurity risk management program to stakeholders. This distinction opens the door for a vastly larger pool of industries to receive the benefits that SOC reports have historically only provided to service organizations.
Another very important difference is the intended use of the report. The use of a SOC 2 report is restricted to certain audiences that have sufficient knowledge of the nature of the system reported upon to make informed decisions based on the SOC 2 content (typically management and customers). The SOC for Cybersecurity is considered a “general use” report, meaning there are no restrictions placed on the use of the report; therefore, management can distribute the report freely in any medium. The SOC for Cybersecurity is similar to a SOC 3 in this regard, and the structure of the report aligns with that of a SOC 3 as well.
Further, the recommended description criteria for the SOC for Cybersecurity does not align with the SOC 2 description criteria. There are similarities, however, the SOC 2 is focused on a specified system supporting the services provided by the entity whereas the SOC for Cybersecurity is focused on the entity’s cybersecurity risk management program. Additionally, while much of the control criteria overlap, you will not see the detailed controls presented in the SOC for Cybersecurity as you would in the SOC 2. Again, both the description criteria and the control criteria presented in the SOC for Cybersecurity are completely flexible at the discretion of management and not required to be adopted like they are in the SOC 2.
Where to Start
If you are considering a SOC for Cybersecurity examination the first step is to contact a CPA firm that offers SOC examination services. An experience professional should be able to walk you through the steps to obtaining a report. Typically, this includes an initial readiness assessment (which could be performed in-house, by a consultant, or by the CPA firm you plan to use for the actual examination). At AssurancePoint, we offer free readiness assessments for new clients who also perform subsequent examinations with our firm. After your readiness assessment is complete, you may need a period to remediate any deficiencies found during the readiness assessment. The practitioner who performed the readiness assessment should be able to provide you recommendations for any gaps identified. If you are still timid about the state of your cybersecurity risk management program after your readiness assessment, your first examination could optionally be a design-only assessment. In this type of examination, your auditor will only report on the presentation of the description and the design of the controls implemented to support your cybersecurity risk management program, similar to a Type I SOC 2. The design-only assessment is a shorter and simpler examination process that can serve as a sound steppingstone into your full examination, but the users of the report do not receive any assurance over the effectiveness of the controls supporting the cybersecurity risk management program. The ultimate goal is to obtain a full report that includes an examination over the effectiveness of the controls supporting the cybersecurity risk management program over a specified period. The examination process is slightly more strenuous because the full examination will assess the controls supporting your program over a specified time period; however, it provides users of the report the most assurance over your cybersecurity risk management program.
The SOC for Cybersecurity is a versatile reporting framework that can efficiently provide a broad base of users and stakeholders information regarding an entity’s cybersecurity risk management program. The SOC for Cybersecurity also opens the doors to organizations in any industry to leverage a common reporting framework that can be independently validated. If you are interested in learning more, have additional questions, or are ready to start the process to obtain your SOC for Cybersecurity report, please contact us. We are happy to have an expert provide a free consultation to discuss your needs and if the SOC for Cybersecurity can provide value to your organization.