SOC for Cybersecurity

Identify and contain potential cyberthreats with a SOC examination for cybersecurity.

Established by the American Institute of Certified Public Accountants (AICPA), the SOC for Cybersecurity reporting framework provides the ability for CPAs to examine and report on an organization’s cybersecurity risk management program (CRMP).

SOC examinations help provide an independent, entity-wide examination of the CRMP for any type of organization and can give boards, investors, business partners, and other stakeholders confidence in an organization’s CRMP and its mitigation strategies to combat cyberattacks.

How Does SOC for Cybersecurity Compare to SOC 2?

The SOC for Cybersecurity examination differs from a SOC 2® examination in three main ways:

  • Purpose
  • Criteria
  • Assessment reports

The examinations focus on different security types. SOC 2 primarily addresses general information security, while SOC for Cybersecurity focuses on cybersecurity risk management programs.

How Can SOC for Cybersecurity Be Distributed?

Though designed to meet the needs of a broad range of users, the intended audience typically includes board members, management, analysts, investors, and business partners. The report isn’t restricted to specified parties.

Practitioners may decide to restrict the use of their report to specified parties to limit the distribution of the report to only those who need to know, or who have specifically requested, the information.

Public companies, however, must routinely prepare disclosures about cybersecurity risks and incidents—which the report can provide.

How the Process Works

Management is responsible for the controls within the entity’s CRMP, regardless of whether those controls are performed by the entity or by a service organization. While the scope of the examination report can be limited to a portion of the entity or to the larger organization, the description criteria is required to address controls within the entity’s CRMP.

Preparing an organization’s leadership team for this reporting process is essential. Performing an internal-use-only evaluation using one of the relevant frameworks or regulations can help make the process more effective.

How Do You Select a Security Framework for SOC for Cybersecurity?

Select the framework that best meets the needs of your organization and base the SOC examination for cybersecurity on that framework.

Applicable frameworks include:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
  • International Organization for Standardization (ISO)/IEC 27001, 27002
  • Control Objectives for Information Technologies (COBIT) 5
  • Committee of Sponsoring Organizations (COSO) Framework
  • NIST Special Publications 800 Series
  • Health Information Trust Alliance (HITRUST) Common Security Framework
  • US Department of Homeland Security requirements for annual Federal Information Security Management Act (FISMA) reporting
  • Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  • Payment Card Industry Data Security Standard (PCI DSS) 3.2
  • Federal Financial Institutions Examination Council questionnaires

Report Contents

The report contains three sections:

  • Management’s description of the entity’s CRMP in accordance with the description criteria
  • Management’s assertion that its description is in accordance with the description criteria and that controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria
  • CPA’s opinion of management's description and the operating effectiveness of internal controls

Expansive SOC Experience

Our professionals provide examinations for a range of client types including software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) companies, business intelligence providers, colocation data centers, financial institutions and service companies, third-party administrators, benefits administrators, and more.


Primary Contact