SOC for Cybersecurity

A SOC for Cybersecurity examination is aligned with the AICPA's Cybersecurity risk Management reporting framework that was designed to address cybersecurity risks at the entity versus system level. The examination is performed in accordance with AICPA Attestation Standards section 105, Concepts Common to All Attestation engagements, and section 205, examination engagements. the scope of the examination includes the assessment of both the design and operating effectiveness of controls within a Cybersecurity Risk Management Program. the AICPA defines a Cybersecurity risk Management Program as those policies, procedures, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives; and to detect, respond, mitigate, and recover from security events that are not prevented in a timely manner.

Similar to a SOC 2 examination, a SOC for Cybersecurity examination references description and control criteria. the AICPA released its Description Criteria for Management’s Description of an entity’s Cybersecurity Risk Management Program (description criteria) in April 2017. this criteria provides a benchmark for entity management to use in designing and describing their Cybersecurity risk Management Program. the AICPA also updated trust services criteria to include cybersecurity controls and released TSP section 100, 2017 trust Services Criteria for Security, Availability, Processing integrity, Confidentiality, and Privacy (control criteria). The new trust services criteria is used by entity management and the service auditor in evaluating the design and operating effectiveness of cybersecurity controls described in a Cybersecurity risk Management Program.


The New Description Criteria For A SOC Cybersecurity Examination Is Categorized Into Nine Sections:

  1. Nature of business and operations
  2. Nature of information at risk
  3. Cybersecurity risk Management Program objectives
  4. factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the Cybersecurity risk Management Program
  9. Cybersecurity control processes

The new framework is flexible and permits entity management to use control criteria other than trust services criteria in designing and describing their Cybersecurity risk Management Program. the NIST Critical Infrastructure Cybersecurity framework, as well as ISO 27001/28002, may be used as long as controls described align with trust services criteria.

Similar to a SOC 2 examination, a type i or type ii can be performed and report on one or more trust service principles. As an attestation engagement, a SOC for Cybersecurity report must include management’s description and assertion, and a CPA’s opinion on the description and operating effectiveness of controls within the Cybersecurity risk Management Program. the AICPA has issued the reporting on an entity’s Cybersecurity Risk Management Program and Controls Guide (the cybersecurity guide) to assist practitioners in performing a SOC for Cybersecurity examination.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

Biggest Cybersecurity Trends

The Biggest Cybersecurity Trends to Watch in 2023

As we begin a new year, here’s a look at some of the top security trends that are emerging now and could pick up pace in 2023 …
Cybersecurity Threats of 2022

The Biggest Cybersecurity Threats of 2022

Here’s a look at the biggest cybersecurity threats from 2022, and what organizations should pay close attention to in the coming year …
soc 2 auditor

Top 10 Tips for Choosing a SOC 2 Auditor

Choosing a SOC 2 auditor can seem like a complicated process, but keep in mind that the most important factor is picking someone who will be a valuable partner …