Introduction To The SOC For Cybersecurity

The rise and institutionalization of cyber-attacks and data breaches within the corporate landscape has justifiably resulted in an atmosphere of reduced trust among business entities and consumers. Risk management and cybersecurity are consistently listed as top concerns among board of directors and executive management teams. Investors, regulators, business partners, etc. are increasingly requiring validated information regarding an organization’s cybersecurity risk management practices to successfully execute on their own risk management and oversight responsibilities. This environment led the Association of International of Certified Professional Accountants (AICPA) to create the SOC for Cybersecurity examination report.


Intent of the SOC for Cybersecurity

The SOC for Cybersecurity report is intended to enable an organization to broadly communicate information regarding its cybersecurity risk management program. The report content is independently examined by a certified public accountant (CPA) who provides an opinion on certain assertions made by management in the report, including assertions regarding the design and effectiveness of controls supporting the cybersecurity risk management program. The SOC for Cybersecurity is a voluntary and very flexible framework intended to meet the market need for a common language to report and evaluate cybersecurity risk management practices and controls. The report content is documented at a high enough level to allow it to be distributed freely by management and used by anyone who may find its contents relevant to their interactions with the reporting organization.


Content of the SOC for Cybersecurity Report

The foundation of the SOC for Cybersecurity report consists of a description of the organization’s cybersecurity risk management program. The AICPA defines the cybersecurity risk management program as “the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.” This description also forms the bulk of the report content and the basis of the auditor’s examination. A SOC for Cybersecurity report is presented in three primary sections:

  1. Management’s Assertion
  2. The Independent Accountant’s Report
  3. Management’s Description of its Cybersecurity Risk Management Program.

If you are familiar with other common SOC reporting frameworks, like SOC 1 and SOC 2, you will notice there is no fourth section containing a detailed list of the entity’s control activities and the auditor’s tests of the controls. This is due to the unrestricted nature of a SOC for Cybersecurity report. Because the report can be distributed freely by management, the detailed list of controls is excluded to avoid misinterpretation by an uninformed user of the report.

While there are three sections to the report, there are only two subject matters that are examined and reported upon by the independent CPA:

  • The description of the entity’s cybersecurity risk management program; and
  • The effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

The Description of the Cybersecurity Risk Management Program

Management of the entity is responsible for presenting the description of its cybersecurity risk management program in alignment with predetermined criteria. The AICPA has established Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program to aid in this presentation of the description. One great benefit to the SOC for Cybersecurity is its flexibility in presentation. While the AICPA offers its own criteria to assist in the presentation of the description, alternative criteria may be utilized if desired by management (i.e. ISO 27001, NIST CSF, etc.). Management may also decide to either report on a cybersecurity risk management program in its entirety, or just a portion of the entity-wide program. An experienced CPA firm or consultant should be able to assist with the presentation of your cybersecurity risk management program and its alignment with description criteria. While it is advised to seek assistance in drafting the description of a cybersecurity risk management program prior to undergoing an examination, ultimately responsibility for the content and underlining procedures rests with management.


Management’s Assertion

Once the description of the cybersecurity risk management program is prepared, management makes assertions regarding the description to be presented in the first section of the report. These assertions include that management has established the entity’s cybersecurity objectives, risks have been identified that could prevent those objectives from being achieved, and controls have been designed, implemented, and in operation to address those risks. Management should also assert that an evaluation of the design and effectiveness of controls was performed based on predetermined control criteria and whether or not, based on this evaluation, controls operated effectively to achieve its cybersecurity objectives.

Even though detailed lists of controls are not presented within the SOC for Cybersecurity report, the entity’s controls are still evaluated by the independent accountant and therefore criteria must be adopted for those controls to be effectively evaluated. The AICPA recommends the adoption of the security, availability, and confidentiality criteria originally established for SOC 2 examinations within its publication TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Note that they do not include the processing integrity or privacy categories in the recommended control criteria. An examination on a cybersecurity risk management program is not designed to enable an auditor to express an opinion on criteria specific to processing integrity or privacy concerns (even though the controls examined may assist in the achievement an entity’s processing integrity or privacy objectives). Similar to the description criteria, there is flexibility allowed in the control criteria used. Management can choose any control criteria it determines appropriate for the evaluation of its cybersecurity risk management program (i.e. ISO 27001, NIST 800-53, CIS, etc.).


Independent Accountant’s Report

Accompanying Management’s Assertion and the Description of the Cybersecurity Risk Management Program is the Independent Accountant’s Report. Here the independent CPA firm performing the examination presents their opinion on:

  • whether the description of the cybersecurity risk management program was presented in accordance with the description criteria.
  • the effectiveness of the controls within that program throughout the specified period in achieving the entity’s cybersecurity objectives based on the specified control criteria.

The opinion provided by an independent CPA is what makes SOC reports such trusted platforms to convey relevant information and controls to an organization’s stakeholders.


Difference Between SOC for Cybersecurity and SOC 2

On the surface the SOC for Cybersecurity may seem very similar to the popular SOC 2 reporting framework, however, there exist a few fundamental differences between the SOC for Cybersecurity and the SOC 2. The first, and arguably the most important difference is that the SOC for Cybersecurity is not just designed for service-based organizations. Any organization within any industry could leverage a SOC for Cybersecurity report to convey details of their cybersecurity risk management program to stakeholders. This distinction opens the door for a vastly larger pool of industries to receive the benefits that SOC reports have historically only provided to service organizations.

Another very important difference is the intended use of the report. The use of a SOC 2 report is restricted to certain audiences that have sufficient knowledge of the nature of the system reported upon to make informed decisions based on the SOC 2 content (typically management and customers). The SOC for Cybersecurity is considered a “general use” report, meaning there are no restrictions placed on the use of the report; therefore, management can distribute the report freely in any medium. The SOC for Cybersecurity is similar to a SOC 3 in this regard, and the structure of the report aligns with that of a SOC 3 as well.

Further, the recommended description criteria for the SOC for Cybersecurity does not align with the SOC 2 description criteria. There are similarities, however, the SOC 2 is focused on a specified system supporting the services provided by the entity whereas the SOC for Cybersecurity is focused on the entity’s cybersecurity risk management program. Additionally, while much of the control criteria overlap, you will not see the detailed controls presented in the SOC for Cybersecurity as you would in the SOC 2. Again, both the description criteria and the control criteria presented in the SOC for Cybersecurity are completely flexible at the discretion of management and not required to be adopted like they are in the SOC 2.


Where to Start

If you are considering a SOC for Cybersecurity examination the first step is to contact a CPA firm that offers SOC examination services. An experience professional should be able to walk you through the steps to obtaining a report. Typically, this includes an initial readiness assessment (which could be performed in-house, by a consultant, or by the CPA firm you plan to use for the actual examination).

At AssurancePoint, we offer free readiness assessments for new clients who also perform subsequent examinations with our firm. After your readiness assessment is complete, you may need a period to remediate any deficiencies found during the readiness assessment. The practitioner who performed the readiness assessment should be able to provide you recommendations for any gaps identified.

If you are still timid about the state of your cybersecurity risk management program after your readiness assessment, your first examination could optionally be a design-only assessment. In this type of examination, your auditor will only report on the presentation of the description and the design of the controls implemented to support your cybersecurity risk management program, similar to a Type I SOC 2. The design-only assessment is a shorter and simpler examination process that can serve as a sound steppingstone into your full examination, but the users of the report do not receive any assurance over the effectiveness of the controls supporting the cybersecurity risk management program.

The ultimate goal is to obtain a full report that includes an examination over the effectiveness of the controls supporting the cybersecurity risk management program over a specified period. The examination process is slightly more strenuous because the full examination will assess the controls supporting your program over a specified time period; however, it provides users of the report the most assurance over your cybersecurity risk management program.



The SOC for Cybersecurity is a versatile reporting framework that can efficiently provide a broad base of users and stakeholders information regarding an entity’s cybersecurity risk management program. The SOC for Cybersecurity also opens the doors to organizations in any industry to leverage a common reporting framework that can be independently validated. If you are interested in learning more, have additional questions, or are ready to start the process to obtain your SOC for Cybersecurity report, please contact us. We are happy to have an expert provide a free consultation to discuss your needs and if the SOC for Cybersecurity can provide value to your organization.

Written By:

Dale Crump

Dale Crump is the Founder Managing Partner of AssurancePoint. Dale has over a decade of experience in information security auditing, governance, risk, compliance, and internal control frameworks. Dale is the SOC examination practice lead at AssurancePoint and has personally contributed to the issuance of hundreds of audit reports for companies in various industries including healthcare, financial technology, information privacy, legal, gaming, managed services, marketing, logistics, etc. Dale is a strong advocate of advancing quality in the security and compliance industry and delivering value to his clients. Dale is licensed certified public accountant (CPA) and also hold various other industry and security specific certifications including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), Certificate of Cloud Security Knowledge (CCSK), ISO 27001 Lead Auditor, Advanced SOC for Service Organizations credential, among others. Dale is active member of the AICPA, Georgia Society of CPAs, ISACA, ISC2, and the IAPP.
Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....

What Are SOC Reports – The Basics 2

What Are SOC Reports – The Basics

Introduction System and Organization Controls (SOC) reports have become one of the most common methods for organizations to demonstrate their services and provide stakeholders assurance over their internal control environments. SOC reports can seem like a very...

What Is A SOC 1 And Do You Need One

What Is a SOC 1 and Do You Need One?

So, you have a customer telling you they need your SOC 1 report, but you do not currently have one and you need guidance on how to obtain one. This is a common problem we see in clients and is generally a positive sign that your firm is growing and obtaining larger...