As cybersecurity threats are becoming more advanced, more intelligent, and more prevalent, organizations are beginning to ask themselves; How can we prove to our customers and our prospects that our cybersecurity standards are up to par? The answer is simple. Get a SOC for Cybersecurity report as part of your larger cybersecurity compliance program.
Cybersecurity Compliance & Risk Management Reporting
Unlike the other SOC audits, a SOC for Cybersecurity report is geared toward any organization, not just Service Organizations. The purpose of this reporting framework is to enable companies to have an independent assessment of their cybersecurity risk management program. It’s a comprehensive audit that should be prepared by an AICPA SOC for Cybersecurity designated professional.
SOC for Cybersecurity Audit Criteria
The SOC for Cybersecurity reporting framework consists of two sets of criteria:
- Criteria to be used by the management of the organization in developing the description of their cybersecurity risk management program, and
- Criteria to be utilized to evaluate the effectiveness of the controls within the program.
The framework utilized for developing the description of the SOC for Cybersecurity program was established by the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Team.
The report that is the final product of a SOC for Cybersecurity assessment is a general use report that is unrestricted for distribution.
The Parts of a SOC for Cybersecurity Audit
The general purpose of the Readiness Assessment is to assess an organization’s cybersecurity compliance and risk management program to determine if a compliance program has been established in general, and if that the program meets the applicable criteria. The assessment involves:
- Discussing and walking through business processes, policies, and procedures
- Performing other fact finding efforts to identify and document the controls built into the cybersecurity risk management program
- Determining if those controls reasonably address the criteria
The Readiness Assessment ultimately identifies the controls to be audited as part of the Cybersecurity reporting process.
SOC for CybersecuritySM Type I Report
The Type I SOC for Cybersecurity reports require a licensed CPA firm to independently assess the organization’s controls relative to meeting the descriptive and control criteria as of a date. These reports are generally used as a gap report by organizations that are obtaining a SOC for Cybersecurity report for the first time and want:
- To assess if compliance controls have been designed and implemented, and
- A preliminary assessment as to the state of their cybersecurity risk management program that can be provided to stakeholders until they can provide a Type II report
SOC for CybersecuritySM Type II Report
A SOC for Cybersecurity TYPE II report includes all of the components of a Type I report and requires that the operating effectiveness of controls be assessed over a period of time. The period of time is flexible; however, it is generally recommended that the period is at least six months and less than thirteen months to provide the most usefulness to the intended recipients of the report. Following the initial reporting cycle, Service Organizations typically aim to obtain a SOC 2 Type II report on an annual basis (i.e. covering twelve months).
Withum’s SOC services team authored and presented the inaugural AICPA SOC for Cybersecurity course. Seven of Withum’s professionals are among the first CPAs nationwide to earn the AICPA’s SOC for Cybersecurity digital badge.