Cybersecurity can be an organization’s catalyst to success and its Achilles’ heel. Due to the vital role cybersecurity plays within virtually all organizations, it’s also becoming the price of admission to initiate business relationships. Considering cybersecurity is a global challenge, it’s becoming more important than ever for organizations to communicate the quality of these programs to address concerns from stakeholders. Corporations have relied upon third-party assessors to gain assurances over the quality of their cybersecurity programs. As a result, the American Institute of Certified Public Accounts (AICPA) recently added the Cybersecurity Service Organization Control (SOC) Report to its suite of other SOC Reports to address this topic.
What is a Cybersecurity SOC Report?
It is a report that evaluates an organization’s enterprise-wide cybersecurity program effectiveness. The report can be used to communicate information about the robustness of an organization’s cybersecurity program to relevant stakeholders. Based largely on the AICPA Cybersecurity Risk Management Framework, the report will communicate these findings in a common language. In addition, this report scope can be limited to solely the suitability of the design of controls for organizations that aren’t ready for a full program effectiveness examination.
What are the Cybersecurity SOC Report criteria?
There are two main types of criteria that can be used to conduct Cybersecurity SOC readiness assessments and attestation examinations.
- Description criteria are used to evaluate Management’s description of the cybersecurity program.
- Control criteria are used to evaluate the effectiveness of the cybersecurity program controls.
Additionally, there is a Reporting on an Entity’s Cybersecurity Risk Management Program and Controls attestation guide that will be published on June 1, 2017. The guide will provide auditors with guidance on how to perform and report on these examinations in accordance with AICPA attestation standards.
From a Management perspective, an updated 2017 version of Trust Principles control criteria can be used to support these efforts as well. The relevant Trust Principles include Confidentiality, Availability, and Security. Other relevant controls from recognized IT frameworks can also be used such as the National Institute of Standards and Technology (NIST) Critical Infrastructure Cybersecurity Framework and ISO 27001/2.
What are the benefits of a Cybersecurity SOC Report?
The Cybersecurity SOC Report will cultivate confidence and trust in a service organization by its stakeholders. It will provide transparency into a cybersecurity program at a level of detail sufficient enough to provide assurances about the program effectiveness. All SOC reports are voluntary. However, the Cybersecurity SOC may become more highly requested during procurement processes and business partner preliminary discussions. In addition, customers may begin to request this report as well to support their service provider vetting processes and compliance oversight activities.
How do I know if my organization is ready for a Cybersecurity SOC audit?
Considering the Cybersecurity SOC Report, corresponding guidance, and Cybersecurity Risk Management Framework are relatively new, beginning with an advisory engagement would likely be beneficial prior to beginning an examination for organizations that haven’t had other SOC audits conducted. Gap assessments using the AICPA Cybersecurity Risk Management Framework, attestation guide, and the related criteria can be conducted to determine readiness. Once the remediation from the gap assessment has been completed, then the timeline to conduct the Cybersecurity SOC audit can be determined. These can be conducted by in-house personnel if they have the expertise, otherwise a third-party can be engaged to perform an advisory engagement.
In addition, the AICPA is working on a white paper that will elaborate on the differences between a SOC 2 Report and a Cybersecurity SOC Report. This resource when available can also be used to further understand the benefits of these reports and whether one would be appropriate for your organization. Obtaining a Cybersecurity SOC Report will contribute to competitive advantages and promote internal operational effectiveness.
Interested in learning more about how a Cybersecurity SOC Report can add value to your organization? Contact our team today to discuss the current state of your cybersecurity framework and your unique business needs.