Print Edition

  Email News Updates

SOC 2 for Cybersecurity: Helping You Build Trust and Transparency

Stolen data. System shutdowns. Widely publicized breaches. High-dollar lawsuits. Is your organization prepared for a cybersecurity attack?

Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events. The American Institute of Certified Public Accountants (AICPA) has developed a cybersecurity risk management reporting framework that assists organizations in communicating information about the effectiveness of their cybersecurity risk management programs.

The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organization’s enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of the organization’s efforts.

Using the AICPA’s SOC for Cybersecurity framework, CPAs can provide assurance over the effectiveness of controls within your organization’s cybersecurity risk management program.

CPA firms deploy multidisciplinary teams composed of licensed CPAs and information technology and security specialists to ensure a comprehensive and thorough evaluation. Together they will assess your cybersecurity risk management program and its effectiveness in meeting your organization’s cybersecurity objectives.

SOC for Cybersecurity is appropriate for businesses, not-for-profits and virtually any other type of organization. It can help you reduce uncertainty and build a resilient organization by evaluating the effectiveness of your cybersecurity processes and controls. It also permits flexibility by not constraining you to a particular security management framework or control framework.

In a cybersecurity risk management examination, there are two distinct but complementary subject matters that are addressed: (1) the description of the entity’s cybersecurity risk management program and (2) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

The cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that management can provide to users to help them understand the entity’s cybersecurity risks and how it manages them. The description criteria include considerations on the nature of your business and operations, cybersecurity risk factors, risk governance, assessment and monitoring.

In practice, your CPA will consult with you to assist your management team in properly developing management’s description of its cybersecurity risk management program. This represents the foundation upon which the examination and SOC cybersecurity reporting are based.