Article
SOC for cybersecurity: How to check the state of your cyberrisk program and build stakeholder confidence
Jan. 9, 2018 · Authored by Troy Hawes, Jared James
With individual states developing and updating information security legislation and the European Union’s General Data Protection Regulation (GDPR) set for implementation in May 2018, the process of validating internal cybersecurity controls has become an increasingly essential component of risk-management. It’s also proven to be an effective tool for inspiring stakeholder and consumer confidence.
One way to ensure these controls are both in place and effective — and to communicate this message to a broad range of stakeholders — is to conduct a system and organization control (SOC) for Cybersecurity audit.
Why it matters
SOC for Cybersecurity is a reporting framework established by the American Institute of Certified Public Accountants (AICPA) that allows auditors to examine and report on an organization’s cybersecurity risk management program.
There are three other SOC audits available from the AICPA besides SOC for Cybersecurity: SOC 1, 2, and 3, respectively. Each assess information security in general; however, the intended audience of SOC 1, 2, and three reports is management and other specified parties that possess preexisting knowledge and understanding of the audited service organization and its systems. The specific differences between the examinations are clarified in the AICPA’s white paper, SOC 2® examinations and SOC for Cybersecurity examinations: Understanding the Key Distinctions, which was published in December 2017.
By introducing a common reporting framework specifically for cybersecurity controls, SOC for Cybersecurity audits bridge the gap between internal and external, as well as technically and non-technically proficient stakeholders. This allows auditors, IT professionals, and report users to be able to speak the same language and assess risks through the same lens.
SOC for Cybersecurity provides universal standards and language for:
- Describing cybersecurity programs
- Making assertions about cybersecurity programs
- Making assertions about the effectiveness of the controls within a cybersecurity program based on a set of control criteria
How it works
The SOC for Cybersecurity reporting framework is used to perform an examination-level attestation engagement called a cybersecurity risk management examination.
