SOC for Cybersecurity

In April 2017, the American Institute of Certified Public Accountants (AICPA) introduced a new examination entitled System and Organization Controls (SOC) for Cybersecurity which builds on the AICPA standards already in place over SOC examinations. Existing SOC1, SOC2, and SOC3 framework was directly focused on organizations providing direct or indirect services to other organizations as a service provider.

SOC for Cybersecurity, however, is appropriate for virtually any type of business or nonprofit organization, and is performed in accordance with the AICPA’s Cybersecurity risk management program attestation standards. It focuses on communicating information regarding the design and operating effectiveness of an organization’s cybersecurity risk management program to the organization’s management, board, and other stakeholders, allowing them to understand the processes, policies, and controls that the organization has in place to mitigate and prevent cybersecurity attacks on their information as well as determine potential gaps that are not addressed by processes, policies, or controls currently in place within the organization.

To facilitate this evaluation of an organization’s cybersecurity program, the AICPA developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. This framework is a key component of the SOC for Cybersecurity engagement, through which a CPA reports on an organization’s enterprise-wide cybersecurity risk management program. This information can help senior management, board of directors, analysts, investors, and business partners gain a better understanding of the organizations’ efforts.

What is a Cybersecurity Risk Management Program?

A cybersecurity risk management program expands upon a routine IT policy by including an organization’s processes, policies, and controls implemented by the organization to protect and secure the organization’s information and systems from cybersecurity attacks and events. The objective of the cybersecurity risk management program is to detect and mitigate cybersecurity attacks and events while including processes and controls in place to respond to and to recover from cybersecurity attacks and events that are not prevented.

Does your organization need a SOC for Cybersecurity?

A SOC for Cybersecurity examination is not required but is useful for an organization and its stakeholders in understanding the cybersecurity programs in place. If a company relies on the integrity and security of its systems for its ongoing business operations or fields regular questions from customers or prospects on the nature if its cybersecurity programs, a SOC for Cybersecurity report should be strongly considered.