Reporting on an Organizations’ Enterprise-Wide Cybersecurity Risk Management Program
Unlike the other SOC reporting options, SOC for CybersecuritySM is geared toward any organization, not just Service Organizations. The purpose of this reporting framework is to enable organizations to have an independent assessment of their cybersecurity risk management program.
The SOC for CybersecuritySM reporting framework consists of two sets of criteria, 1) criteria to be used by management of the organization in developing the description of their cybersecurity risk management program, and 2) criteria to be utilized to evaluate the effectiveness of the controls within the program. The framework utilized for developing the description of the cybersecurity program was established by the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Group.
The scope of a SOC for Cybersecurity assessment must include the entire cybersecurity risk management program of the organization, which may include elements that are performed by third parties.
The report that is the product of a SOC for CybersecuritySM assessment is a general use report that is unrestricted for distribution.
The general purpose of the Readiness Assessment is to assess an organization’s cybersecurity risk management program to determine if the program has been established and meets the applicable criteria. The assessment involves discussing and walking through business process, policies and procedures, and performing other fact finding efforts to identify and document the controls built into the cybersecurity risk management program and determine if those controls reasonably address the criteria. The Readiness Assessment ultimately identifies the controls to be audited as part of the CybersecuritySM reporting process.
Type I SOC for CybersecuritySM reports require a CPA firm to independently assess the organization’s controls relative to meeting the descriptive and control criteria as of a date.
These reports are generally used as a gap report by organizations that are obtaining a SOC for CybersecuritySM report for the first time and (1) want to assess if the controls have been designed and implemented, and (2) want a preliminary assessment as to the state of their cybersecurity risk management program that can be provided to stakeholders until they can provide a Type II report.
A SOC for CybersecuritySM TYPE II report includes all of the components of a Type I report and requires that the operating effectiveness of controls be assessed over a period of time. The period of time is flexible; however, it is generally recommended that the period is at least six months and less than thirteen months to provide the most usefulness to the intended recipients of the report. Following the initial reporting cycle, Service Organizations typically aim to obtain a SOC 2SM Type II report on an annual basis (i.e. covering twelve months).