As cybersecurity threats are becoming more advanced, more intelligent, and more prevalent, organizations are beginning to ask themselves; How can we prove to our customers and our prospects that our cybersecurity standards are up to par? The answer is simple. Get a SOC for Cybersecurity report as part of your larger cybersecurity compliance program.
Unlike the other SOC audits, a SOC for Cybersecurity report is geared toward any organization, not just Service Organizations. The purpose of this reporting framework is to enable companies to have an independent assessment of their cybersecurity risk management program. It’s a comprehensive audit that should be prepared by an AICPA SOC for Cybersecurity designated professional.
The SOC for Cybersecurity reporting framework consists of two sets of criteria:
The framework utilized for developing the description of the SOC for Cybersecurity program was established by the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Group.
The scope of a SOC for Cybersecurity assessment must include the entire cybersecurity risk management program of the organization, which may include elements that are performed by third parties.
The report that is the final product of a SOC for Cybersecurity assessment is a general use report that is unrestricted for distribution.
Similar to other SOC audit reports, the SOC for cybersecurity audit consists of three parts; the Readiness Assessment, the Type I Report, and the Type II Report.
The general purpose of the Readiness Assessment is to assess an organization’s cybersecurity compliance and risk management program to determine if a compliance program has been established in general, and if that the program meets the applicable criteria. The assessment involves:
The Readiness Assessment ultimately identifies the controls to be audited as part of the Cybersecurity reporting process.
The Type I SOC for Cybersecurity reports require a licensed CPA firm to independently assess the organization’s controls relative to meeting the descriptive and control criteria as of a date. These reports are generally used as a gap report by organizations that are obtaining a SOC for Cybersecurity report for the first time and want:
A SOC for Cybersecurity TYPE II report includes all of the components of a Type I report and requires that the operating effectiveness of controls be assessed over a period of time. The period of time is flexible; however, it is generally recommended that the period is at least six months and less than thirteen months to provide the most usefulness to the intended recipients of the report. Following the initial reporting cycle, Service Organizations typically aim to obtain a SOC 2 Type II report on an annual basis (i.e. covering twelve months).
Looking to get a SOC for Cybersecurity report for your organization? Let us help. Contact one of our SOC consultants online, or give us a call at (609) 520 1188.
Withum’s SOC services team authored and presented the inaugural AICPA SOC for Cybersecurity course. Seven of Withum’s professionals are among the first CPAs nationwide to earn the AICPA’s SOC for Cybersecurity digital badge.