Cybersecurity threats are on the rise, challenging organizations of all sizes—whether public or private.
Boards of directors, managers, investors, customers and other stakeholders are pressuring organizations to demonstrate that they are managing cybersecurity threats, and that they have put into place effective cybersecurity risk management programs to prevent, detect and respond to security breaches.
To help organizations demonstrate that they are managing cybersecurity threats, the organization should obtain a SOC for Cybersecurity Report.
SOC for Cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, and independent CPA opines on:
(a) management’s description of the entity’s cybersecurity risk management program and
(b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users.
The cybersecurity risk management examination report includes the following three key components:
1. Management's assertion.
As with all SOC reports, an assertion is provided by management. Specifically, the assertion addresses whether
(a) the description is presented in accordance with the description criteria and
(b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
2. Practitioner's report.
The second component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether
(a) the description is presented in accordance with the description criteria and
(b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
3. Management's description.
The last component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). Of course, BRC will assist the organization’s management in preparing this description. This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report.
There are two types of reports for these engagements:
- Type 2 – report on the fairness of the presentation of management’s description of the entity’s cybersecurity risk management program and the suitability of the design and operating effectiveness of the controls to achieve the objectives of the cybersecurity risk management program throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the entity’s cybersecurity risk management program and the suitability of the design and operating effectiveness of the controls to achieve the objectives of the cybersecurity risk management program as of a specified date.
Let’s get started today. BRC is ready to help your organization demonstrate the maturity of its cybersecurity risk management program. Contact Ben Hunter III, CPA/CITP, CISA, CRISC, CDPSE, CISM at (336).294.4494 (bhunter@brccpa.com) to get started on a SOC for Cybersecurity today.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]