Established by the American Institute of Certified Public Accountants (AICPA), the SOC for Cybersecurity reporting framework provides the ability for CPAs to examine and report on an organization’s cybersecurity risk management program (CRMP).

SOC examinations help provide an independent, entity-wide examination of the CRMP for any type of organization and can give boards, investors, business partners, and other stakeholders confidence in an organization’s CRMP and its mitigation strategies to combat cyberattacks.

How Does SOC for Cybersecurity Compare to SOC 2?

The SOC for Cybersecurity examination differs from a SOC 2® examination in three main ways:

• Purpose
• Criteria
• Assessment reports

The examinations focus on different security types. SOC 2 primarily addresses general information security, while SOC for Cybersecurity focuses on cybersecurity risk management programs.

How the Process Works

Management is responsible for the controls within the entity’s CRMP, regardless of whether those controls are performed by the entity or by a service organization. Controls are required to address the description criteria within the entity's CRMP.

Preparing an organization’s leadership team for this reporting process is essential. Performing an internal-use-only evaluation using one of the relevant frameworks or regulations can help make the process more effective.

How Do You Select a Security Framework for SOC for Cybersecurity?

Select the framework that best meets the needs of your organization and base the SOC examination for cybersecurity on that framework.

Applicable frameworks include:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
• International Organization for Standardization (ISO)/IEC 27001, 27002
• Control Objectives for Information Technologies (COBIT) 5
• Committee of Sponsoring Organizations (COSO) Framework
• NIST Special Publications 800 Series
• Health Information Trust Alliance (HITRUST) Common Security Framework
• US Department of Homeland Security requirements for annual Federal Information Security Management Act (FISMA) reporting
• Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• Payment Card Industry Data Security Standard (PCI DSS) 3.2
• Federal Financial Institutions Examination Council questionnaires

Report Contents

The report contains three sections:

• Management’s description of the entity’s CRMP in accordance with the description criteria
• Management’s assertion that its description is in accordance with the description criteria and that controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria
• CPA’s opinion of management's description and the operating effectiveness of internal controls

Expansive SOC Experience

Our professionals provide examinations for a range of client types including software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) companies, business intelligence providers, colocation data centers, financial institutions and service companies, third-party administrators, benefits administrators, and more.