As cybersecurity threats are becoming more advanced, more intelligent, and more prevalent, organizations are beginning to ask themselves; How can we prove to our customers and our prospects that our cybersecurity standards are up to par? The answer is simple. Get a SOC for Cybersecurity report as part of your larger cybersecurity compliance program.
Unlike the other SOC audits, a SOC for Cybersecurity report is geared toward any organization, not just Service Organizations. The purpose of this reporting framework is to enable companies to have an independent assessment of their cybersecurity risk management program. It’s a comprehensive audit that should be prepared by an AICPA SOC for Cybersecurity designated professional.
The SOC for Cybersecurity reporting framework consists of two sets of criteria:
The framework utilized for developing the description of the SOC for Cybersecurity program was established by the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Team.
The scope of a SOC for Cybersecurity assessment must include the entire cybersecurity risk management program of the organization, which may include elements that are performed by third parties.
The report that is the final product of a SOC for Cybersecurity assessment is a general use report that is unrestricted for distribution.
Similar to the SOC 1 and SOC 2 audit reports, the SOC for cybersecurity audit consists of three parts; the Readiness Assessment, the Type I Report, and the Type II Report.
The general purpose of the Readiness Assessment is to assess an organization’s cybersecurity compliance and risk management program to determine if a compliance program has been established in general, and if that the program meets the applicable criteria. The assessment involves:
The Readiness Assessment ultimately identifies the controls to be audited as part of the Cybersecurity reporting process.
The Type I SOC for Cybersecurity reports require a licensed CPA firm to independently assess the organization’s controls relative to meeting the descriptive and control criteria as of a date. These reports are generally used as a gap report by organizations that are obtaining a SOC for Cybersecurity report for the first time and want:
A SOC for Cybersecurity TYPE II report includes all of the components of a Type I report and requires that the operating effectiveness of controls be assessed over a period of time. The period of time is flexible; however, it is generally recommended that the period is at least six months and less than thirteen months to provide the most usefulness to the intended recipients of the report. Following the initial reporting cycle, Service Organizations typically aim to obtain a SOC 2 Type II report on an annual basis (i.e. covering twelve months).
Share So yet another massive data breach hits, this one at DoorDash. Although the details are still coming together, what we do believe factual is that over 4.9 million customers, delivery workers and merchants had their information stolen by hackers. The DoorDash data breach was reported as having occurred on May 4, 2019. Why did…
Share As cybersecurity threats continue to evolve, so do the standards around network security and the protection of Personally identifiable information (PII). The introduction of GDPR regulations are just a taste of what future cybersecurity risk management and compliance will be. Organizations of all types are starting to ask themselves; Have we put enough thought…
Share As you may have heard, the AICPA’s Assurance Services Executive Committee (ASEC) released the Guide – Reporting on an Entity’s Cybersecurity Risk Management Program and Controls on May 1, 2017. Since this is a relatively new type of SOC audit, we thought we’d provide some clarity into the frequently asked questions we get around…
For more information or to discuss your business needs, please connect with a member of our team.