What is it?
Similar to a System and Organizational Control (SOC) 2 examination, SOC for Cybersecurity focuses on an organization’s cybersecurity risk management program. SOC for Cybersecurity is different from SOC 2 in that it is intended for any type of enterprise, not just service organizations.
SOC for Cybersecurity affords a company the opportunity to provide their partners (i.e., customers, stakeholders) assurance that they are committed to cybersecurity best practices.
How an auditor will evaluate an organization’s SOC for Cybersecurity report:
There are two criteria used by the auditor: description criteria and control criteria.
Description criteria – The organization provides a narrative describing their cybersecurity risk management program. There are several requirements, or criteria, for this description as established by the AICPA Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program.
- Nature of business and operations
- Nature of information at risk
- Cybersecurity risk management program objectives (cybersecurity objectives)
- Factors that have a significant effect on inherent cybersecurity risks
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Cybersecurity communications and the quality of cybersecurity information
- Monitoring of the cybersecurity risk management program
- Cybersecurity control processes
Control criteria – The baseline for the company’s system of internal control is up to management. Typically, management will adopt a framework for risk management and implement related control activities to mitigate cyber risk (i.e., NIST CSF, ISO 27001:2022). The auditor will evaluate the system of controls based on the framework selected.
Advantages of obtaining a SOC for Cybersecurity report:
- Internally, completing a SOC for Cybersecurity examination will help everyone on your team understand what you’re doing well and what you may be able to improve upon with respect to cybersecurity.
- You’re provided an objective opinion from an independent source that your cybersecurity risk management program is strong. Sharing this report with interested parties should provide a high level of assurance that your organization can be trusted with sensitive information.
- Competitive advantage over your competitors. SOC for Cybersecurity is a relatively new type of examination and it’s likely most of your competitors have not been through anything like it. The landscape, and related demands, of cybersecurity is changing everyday – being early will be nothing but helpful as you try to win deals.
The cost of one of these examinations is dependent on several factors but most importantly the scope (i.e., organizational size and complexity, complexity of the control activities) and the period covered by the auditor’s opinion.
Companies have the option of engaging the auditor to either:
- Evaluate the design of their cybersecurity program at a specific point in time (i.e., as of December 31, 20XX) or
- Evaluate the design and operating effectiveness [of controls] of the cybersecurity program for a specified period of time (i.e., January 1, 20XX to December 31, 20XX).
The latter provides a higher level of assurance to report users that not only do you have well designed procedures implemented but also that they have functioned as intended over a period of time. These types of reports are more costly due to a higher level of involvement from the auditor.
SOC for Cybersecurity is for all companies offering a service or selling a product, for-profit and non-profit. It’s a fantastic way to demonstrate your commitment to cybersecurity to your customers and stakeholders, and may help close deals that involve sharing sensitive information.
They are also a great tool for on-going management of your cybersecurity program. An external assessment may uncover gaps or weaknesses in your system of control that may otherwise have gone unnoticed.
Taylor Gavigan is a Manager at Dansa D’Arata Soucia LLP. Taylor is responsible for managing the firm’s attestation department, which includes SOC 1, SOC 2, SOC for Cybersecurity, SOC for Supply Chain, regulatory compliance examinations (i.e., HIPAA, GDPR), and ISO 27001 internal audit engagements.