As cybersecurity threats continue to evolve, so do the standards around network security and the protection of Personally identifiable information (PII). The introduction of GDPR regulations are just a taste of what future cybersecurity risk management and compliance will be. Organizations of all types are starting to ask themselves; Have we put enough thought into protecting both our data and our customers’ data, and how can we prove that our security standards are up to par and that we’re successfully managing threats? More often than not, the best answer is to get a System and Organization Controls (SOC) for Cybersecurity audit report.
A SOC for Cybersecurity report is an extremely comprehensive cybersecurity compliance audit prepared by a licensed IT professional who is verified to do such audits. Unlike traditional SOC audit reports for service organizations, SOC for Cybersecurity is a general use report that covers significant cybersecurity policies and procedures influencing any and all proprietary and customer information.
There are countless IT Security businesses that say they can perform Cybersecurity Assessments but, up until recently, there was no way of knowing whether or not the IT professionals performing SOC audit services had the expertise and know-how to perform the assessments successfully.
The AICPA completed the inaugural SOC for Cybersecurity certificate program for cybersecurity specialists on April 26, 2018, which SOC consultants at Withum helped write and prepare.
A typical SOC for Cybersecurity report consists of three parts:
1. The SOC Auditors Independent Report
2. Management’s Assertion on Security, Availability, and Confidentiality
3. Management’s Description of the Cybersecurity Risk Management Program
SOC Auditors Independent Report. The first section of the report consists of the evaluation, or opinion, of the third party auditor. They discuss, in detail, their findings and make suggestions on the overall cybersecurity compliance and risk management of the organization.
Management’s Assertion. The second section is signed by management and asserts that they are aware of the controls in place surrounding data security, data confidentiality, and availability, or uptime. The control criteria used for part II of the SOC report can either be the American Institute of Certified Public Accountants (AICPA) trust service criteria, or another comprehensive framework, such as the National Institute of Standards and Technology (NIST) control framework.
Management’s Description. The third part of the report, management’s description, is a document that details all the components of the organization’s cybersecurity risk management program. This section addresses the AICPA cybersecurity description criteria.
Similar to SOC for service organizations, if a company has never had SOC for Cybersecurity done, getting a report becomes a two-step process. First, a consultant must be called in to assist in mapping the entities’ cybersecurity controls to the criteria, assist in identifying any gaps, and assist in remediation. Then, a third-party, independent auditor is engaged to perform the actual audit and prepare the SOC for Cybersecurity report.
Still have questions? Check out the full list of SOC for Cybersecurity FAQ’s here.
A SOC for Cybersecurity report details a company’s own cybersecurity risk management program and proves their cybersecurity protections are adequate, regularly maintained, and constantly evolving. Completed annually, it’s a public testament to a company’s ongoing commitment to data security, confidentiality, and availability. Other SOC compliance audits are driven by vendors, but SOC for Cybersecurity audits are driven by you, or your board of directors. Since a SOC for Cybersecurity report is considered to be a general use document, it can be given to investors, board members, regulators, prospects, and current customers. A SOC for cybersecurity report instills confidence and trust in clients that your organization is doing everything it can to stay on top of growing cybersecurity threats.
Yes! Every organization should consider getting a SOC for Cybersecurity report done annually as part of their ongoing cybersecurity compliance strategy. While it’s currently not required, as regulations surrounding data security increase, SOC for Cybersecurity will more than likely become mandated in the very near future.
Aside from setting a company apart as a leader in cybersecurity, SOC for Cybersecurity can potentially save significant amounts of time and money if your IT team is annually required to fill out data security questionnaires from clients. As you may be aware, these questionnaires are lengthy, typically around 2000 questions each, and you need a senior IT professional to answer them. Often, an organization may employ a full-time salaried IT technician whose sole job function is to answer security questionnaires. If you invest in getting a SOC for Cybersecurity assessment, the final report is so comprehensive that it can be used to guide less seasoned IT professionals in answering security questionnaires more efficiently, and some clients are starting to accept annually updated SOC for Cybersecurity reports in place of their traditional security questionnaires.
Remember, if you’re considering SOC for Cybersecurity and it’s your first time getting a report, an outside consultant will need to be brought in first. Preparing for the SOC for Cybersecurity audit is a heavy lift that requires a two-step process. First, you need to complete a readiness assessment and map controls, then the audit engagement is completed.
The audit, part two, can only be completed for companies that have a mature cybersecurity risk management system, measured by the AICPA. For organizations that do not have a mature cybersecurity risk management program, part one, consulting, could take a year or two to prepare. While this process is thorough and lengthy, there is significant value to the organization as you prepare, strengthening your overall cybersecurity.
Part two, the audit portion of your SOC report is completed by an independent third party. The time it takes to receive the actual SOC for Cybersecurity report will vary by provider, but Withum usually provides the comprehensive document 45 days after the audit is completed.
Choosing a vendor who has the SOC for Cybersecurity certificate is not required, but, you face the risk of the audit not being completed correctly if your chosen vendor doesn’t have the certificate. The firms able to audit and produce an official SOC for Cybersecurity report are those with individual CPAs that have been certified by the AICPA credentialing program and obtained the SOC for Cybersecurity Services Certificate. The program was launched in April 2017, and as of May 2018, Withum has seven individuals certified to provide SOC for Cybersecurity reports in the U.S. They are:
We’re very proud to be able to say that four of our CPAs were the first people in the country to become SOC for Cybersecurity certified and receive their digital badges.
If you’re ready to make steps toward receiving a SOC for Cybersecurity audit, you should engage a firm that has individuals with the requisite cybersecurity experience and knowledge. Additionally, you should opt for individuals who have obtained their SOC for Cybersecurity certificate to assist companies in creating a plan to address the AICPA description criteria that includes 19 separate items to ensure your organization is properly secure.
Looking to get a SOC for Cybersecurity report for your organization? Let us help. Contact one of our SOC consultants online, or give us a call at (609) 520 1188.
For questions or to speak to a member of our SOC for Cybersecurity Services Group, fill out the form below.