How Can Cybersecurity SOC Reports Be Useful to Your Organization?

cybersecurity soc
Share Button

Cybersecurity can be an organization’s catalyst to success and its Achilles’ heel. Due to the vital role cybersecurity plays within virtually all organizations, it’s also becoming the price of admission to initiate business relationships. Considering cybersecurity is a global challenge, it’s becoming more important than ever for organizations to communicate the quality of these programs to address concerns from stakeholders. Corporations have relied upon third-party assessors to gain assurances over the quality of their cybersecurity programs. As a result, the American Institute of Certified Public Accounts (AICPA) recently added the Cybersecurity Service Organization Control (SOC) Report to its suite of other SOC Reports to address this topic.

What is a Cybersecurity SOC Report?

It is a report that evaluates an organization’s enterprise-wide cybersecurity program effectiveness. The report can be used to communicate information about the robustness of an organization’s cybersecurity program to relevant stakeholders. Based largely on the AICPA Cybersecurity Risk Management Framework, the report will communicate these findings in a common language. In addition, this report scope can be limited to solely the suitability of the design of controls for organizations that aren’t ready for a full program effectiveness examination.

What are the Cybersecurity SOC Report criteria?

There are two main types of criteria that can be used to conduct Cybersecurity SOC readiness assessments and attestation examinations.

  1. Description criteria are used to evaluate Management’s description of the cybersecurity program.
  2. Control criteria are used to evaluate the effectiveness of the cybersecurity program controls.

Additionally, there is a Reporting on an Entity’s Cybersecurity Risk Management Program and Controls attestation guide that will be published on June 1, 2017. The guide will provide auditors with guidance on how to perform and report on these examinations in accordance with AICPA attestation standards.

From a Management perspective, an updated 2017 version of Trust Principles control criteria can be used to support these efforts as well. The relevant Trust Principles include Confidentiality, Availability, and Security. Other relevant controls from recognized IT frameworks can also be used such as the National Institute of Standards and Technology (NIST) Critical Infrastructure Cybersecurity Framework and ISO 27001/2.

What are the benefits of a Cybersecurity SOC Report?

The Cybersecurity SOC Report will cultivate confidence and trust in a service organization by its stakeholders. It will provide transparency into a cybersecurity program at a level of detail sufficient enough to provide assurances about the program effectiveness. All SOC reports are voluntary. However, the Cybersecurity SOC may become more highly requested during procurement processes and business partner preliminary discussions. In addition, customers may begin to request this report as well to support their service provider vetting processes and compliance oversight activities.

How do I know if my organization is ready for a Cybersecurity SOC audit?

Considering the Cybersecurity SOC Report, corresponding guidance, and Cybersecurity Risk Management Framework are relatively new, beginning with an advisory engagement would likely be beneficial prior to beginning an examination for organizations that haven’t had other SOC audits conducted. Gap assessments using the AICPA Cybersecurity Risk Management Framework, attestation guide, and the related criteria can be conducted to determine readiness. Once the remediation from the gap assessment has been completed, then the timeline to conduct the Cybersecurity SOC audit can be determined. These can be conducted by in-house personnel if they have the expertise, otherwise a third-party can be engaged to perform an advisory engagement.

In addition, the AICPA is working on a white paper that will elaborate on the differences between a SOC 2 Report and a Cybersecurity SOC Report. This resource when available can also be used to further understand the benefits of these reports and whether one would be appropriate for your organization. Obtaining a Cybersecurity SOC Report will contribute to competitive advantages and promote internal operational effectiveness.

Interested in learning more about how a Cybersecurity SOC Report can add value to your organization? Contact Aronson Technology Risk Services Group manager Natasha Barnes at 301.231.6236, to discuss the current state of your cybersecurity framework and your unique business needs.

About Natasha Barnes

Natasha Barnes has written 3 post in this blog.

Natasha Barnes is an IT risk and compliance professional with a focus on IT audit readiness and remediation. She has led large scale remediation efforts for federal clients responding to IT findings from Financial Statement Audits. On these engagements, Natasha became well known for her diplomatic efforts in facilitating discussions with stakeholders across IT and Financial departments. She established an understanding of complex technical issues with these functional team members and helped them to collaboratively execute remediation plans. She has also been involved with establishing and facilitating continuous monitoring programs, which contributed to the closure and severity reduction of several IT findings. In addition, Natasha has experience with security risk analysis, disaster planning, and project management. She holds Certified Associate in Project Management (CAPM) and Certified Information Systems Auditor (CISA) credentials. Natasha has led teams in executing Office of Management and Budget (OMB) A-123 compliance assessments and she has contributed to a Statement on Standards for Attestation Engagements (SSAE-16) engagement. She also led a third party system audit readiness assessment based on National Institute of Standards and Technology (NIST) 800-53 in anticipation of upcoming audit scrutiny. Natasha has developed and instructed trainings for her clients and colleagues on subjects related to Financial Statement Audit IT protocol, Federal Information Security Management Act (FISMA), Federal Information System Controls Audit Manual (FISCAM), NIST, and OMB A-123.

Comments are closed.

View Archives

Blog Authors

Latest Webinar Videos