SOC for Cybersecurity: How to Check the State of Your Cyber Risk Program and Build Stakeholder Confidence

With individual states developing and updating information security legislation and the European Union’s General Data Protection Regulation (GDPR) set for implementation in May 2018, the process of validating internal cybersecurity controls has become an increasingly essential component of risk-management. It’s also proven to be an effective tool for inspiring stakeholder and consumer confidence.

One way to ensure these controls are both in place and effective—and to communicate this message to a broad range of stakeholders—is to conduct a system and organization control (SOC) for Cybersecurity audit.

Why It Matters

SOC for Cybersecurity is a reporting framework established by the American Institute of Certified Public Accountants (AICPA) that allows auditors to examine and report on an organization’s cybersecurity risk management program.

There are three other SOC audits available from the AICPA besides SOC for Cybersecurity: SOC 1, 2, and 3, respectively. Each assess information security in general; however, the intended audience of SOC 1, 2, and 3 reports is management and other specified parties that possess preexisting knowledge and understanding of the audited service organization and its systems. The specific differences between the examinations are clarified in the AICPA’s white paper, SOC 2® examinations and SOC for Cybersecurity examinations: Understanding the Key Distinctions, which was published in December 2017.

By introducing a common reporting framework specifically for cybersecurity controls, SOC for Cybersecurity audits bridge the gap between internal and external, as well as technically and non-technically proficient stakeholders. This allows auditors, IT professionals, and report users to be able to speak the same language and assess risks through the same lens.

SOC for Cybersecurity provides universal standards and language for:

  • Describing cybersecurity programs
  • Making assertions about cybersecurity programs
  • Making assertions about the effectiveness of the controls within a cybersecurity program based on a set of control criteria

How It Works

The SOC for Cybersecurity reporting framework is used to perform an examination-level attestation engagement called a cybersecurity risk management examination. It employs standard control criteria and language to assess processes and systems stemming from any number of relevant regulations and cybersecurity frameworks, providing unified guidance for descriptions and control criteria.

Relevant Frameworks

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
  • International Organization for Standardization (ISO)/IEC 27001, 27002
  • COBIT 5
  • COSO 2013 Framework
  • NIST Special Publications 800 Series
  • HITRUST Common Security Framework

Relevant Regulations

  • US Department of Homeland Security requirements for annual FISMA reporting
  • HIPAA Security Rule
  • PCI DSS 3.2
  • Federal Financial Institutions Examination Council questionnaires

Next Steps

Preparing an organization’s leadership team for this type of reporting process is an essential step in assessing if a cyber risk management program has the necessary controls in place. One of the best ways to accomplish this is by performing an internal use only evaluation using one of the relevant frameworks or regulations.

We’re Here to Help

If you’d like to learn more about how a SOC for Cybersecurity audit could help your organization better manage risk, contact your Moss Adams professional.