A SOC for Cybersecurity examination is aligned with the AICPA's Cybersecurity risk Management reporting framework that was designed to address cybersecurity risks at the entity versus system level. The examination is performed in accordance with AICPA Attestation Standards section 105, Concepts Common to All Attestation engagements, and section 205, examination engagements. the scope of the examination includes the assessment of both the design and operating effectiveness of controls within a Cybersecurity Risk Management Program. the AICPA defines a Cybersecurity risk Management Program as those policies, procedures, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives; and to detect, respond, mitigate, and recover from security events that are not prevented in a timely manner.
Similar to a SOC 2 examination, a SOC for Cybersecurity examination references description and control criteria. the AICPA released its Description Criteria for Management’s Description of an entity’s Cybersecurity Risk Management Program (description criteria) in April 2017. this criteria provides a benchmark for entity management to use in designing and describing their Cybersecurity risk Management Program. the AICPA also updated trust services criteria to include cybersecurity controls and released TSP section 100, 2017 trust Services Criteria for Security, Availability, Processing integrity, Confidentiality, and Privacy (control criteria). The new trust services criteria is used by entity management and the service auditor in evaluating the design and operating effectiveness of cybersecurity controls described in a Cybersecurity risk Management Program.
The New Description Criteria For A SOC Cybersecurity Examination Is Categorized Into Nine Sections:
- Nature of business and operations
- Nature of information at risk
- Cybersecurity risk Management Program objectives
- factors that have a significant effect on inherent cybersecurity risks
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Cybersecurity communications and the quality of cybersecurity information
- Monitoring of the Cybersecurity risk Management Program
- Cybersecurity control processes
The new framework is flexible and permits entity management to use control criteria other than trust services criteria in designing and describing their Cybersecurity risk Management Program. the NIST Critical Infrastructure Cybersecurity framework, as well as ISO 27001/28002, may be used as long as controls described align with trust services criteria.
Similar to a SOC 2 examination, a type i or type ii can be performed and report on one or more trust service principles. As an attestation engagement, a SOC for Cybersecurity report must include management’s description and assertion, and a CPA’s opinion on the description and operating effectiveness of controls within the Cybersecurity risk Management Program. the AICPA has issued the reporting on an entity’s Cybersecurity Risk Management Program and Controls Guide (the cybersecurity guide) to assist practitioners in performing a SOC for Cybersecurity examination.
