AICPA’s New SOC for Cybersecurity Examination

As the data breach occurrences increase, organizations continue to struggle to demonstrate and maintain security of their data. To ensure that all appropriate measures are being taken, executives and senior management have begun requesting that their organizations demonstrate the effectiveness of their cybersecurity risk management programs through third party assessments

In response to this challenge and industry demand, the American Institute of CPAs (AICPA) has developed a systematic Cybersecurity Risk Management Reporting Framework.

This framework is a component of the new SOC for Cybersecurity examination and is designed to help organizations manage cybersecurity threats through effective processes and stringent controls to identify, respond, and recover from security breaches. These reports provide organizations with in-depth information to better understand current and potential security efforts.

Cybersecurity Risk Management Framework Key Criteria

While designing the reporting framework, the AICPA established two types of criteria for examination. These harmonious criteria sets can be used for comparability while discussing the organization’s current programs. The two types of criteria are as followed:

  1. Descriptive Criteria – Narrative description of the organization’s current cybersecurity risk management program to measure effectiveness of controls within the program
  2. Control Criteria – Using pre-existing control criteria to measure effectiveness of the organization’s current controls being evaluated

Organizations may also use the following pre-existing control criteria:

  • Trusted Services Criteria for Security, Availability, and Confidentiality
  • NIST Critical Infrastructure Cybersecurity Framework
  • ISO 27001/27002

What is the SOC for Cybersecurity Examination?

The SOC for Cybersecurity Examination is an engagement performed by CPAs on an organization’s cybersecurity risk management program, covering two distinct areas including:

  1. The description of the organization’s cybersecurity risk management program; and
  2. The effectiveness of controls within that program to achieve the organization’s cybersecurity objectives.

The SOC for Cybersecurity Examination report will cover three components:

  1. Management’s description of the entity’s cybersecurity risk management program
  2. Management’s assertion
  3. Practitioner’s report

Benefits of SOC for Cybersecurity

By implementing this new framework and assessing current strategies, organizations have the capability to further develop their cybersecurity programs. After completion of the SOC for Cybersecurity examination, organizations can experience a myriad of benefits including:

  • An understanding of the organizations’ efforts to develop more effective and more targeted processes and controls to respond to cybersecurity risks
  • Developing a competitive advantage against similar organizations who have not completed a SOC for Cybersecurity engagement
  • Providing customers with peace of mind that your data is safeguarded

Although the examination is voluntary, SOC for Cybersecurity is the first step towards a standardized, market-based, solution allowing organizations to effectively improve, communicate, and demonstrate their cybersecurity risk management efforts.

For more information regarding SOC for Cybersecurity or to learn more about our SOC services, contact A-LIGN today at [email protected] or 1-888-702-5446.