In response to the increase in cyber threats, the American Institute of CPAs (AICPA) issued the Cybersecurity Risk Management Reporting Framework, also known as System and Organization Controls (SOC) for Cybersecurity, a flexible and voluntary framework for organizations in any industry to take a proactive approach to cybersecurity risk management. The SOC for Cybersecurity examination engagement was developed and introduced by the AICPA in May 2017. They developed it to gain better insights into the effectiveness of an organization’s Cybersecurity Risk Management Program.
Who needs a SOC for Cybersecurity?
The SOC for Cybersecurity examination engagement is meant for any organization who wants an independent validation of the effectiveness of its Cybersecurity Risk Management Program. Conducting a SOC for Cybersecurity assists senior management, boards of directors, analysts, investors, or business partners gain a better understanding of an organization’s cybersecurity efforts.
Developing a Cybersecurity Risk Management Program
A Cybersecurity Risk Management Program ensures organizations are safeguarding against potential data breaches and security incidents. The SOC for Cybersecurity examination engagement will examine the program’s processes and stringent controls in identifying, responding to and recovering from security breaches effectively. The Cybersecurity Risk Management Program is developed by the company’s management and begins by defining what their ultimate cybersecurity objectives will be. These objectives are related to three main overarching objectives:
|1. Operation Objectives||The effectiveness and efficiency of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss|
|2. Reporting Objectives||Internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms set forth by regulators, recognized standard setters, or the entity’s policies.|
|3. Compliance Objectives||Adherence to laws and regulations to which the entity is subject|
Key success factors in a Cybersecurity Risk Management Program include, but are not limited to:
- Support and drive strong governance attitudes and actions
- Are designed, developed, and implemented in a similar way to other business functions
- Adopt a standard framework approach, usable for an extended period of many years with little or no changes to that framework
- Are measurable in terms of their effectiveness
Management will be responsible for developing, implementing, and operating the entity’s Cybersecurity Risk Management Program, as well as:
- Developing and presenting a description of the entity’s cybersecurity risk management program
- Making an assertion about whether the description is presented in accordance with the description criteria
- Making an assertion about the effectiveness of the controls within the program based on a set of control criteria
Advantages of the SOC for Cybersecurity Engagement
Aside from gaining an understanding of your organization’s efforts to develop more effective targeted processes and controls to respond to cybersecurity risks, you are creating a competitive advantage against similar organizations who have not completed a SOC for Cybersecurity examination. As the data breach landscape continues to evolve and hackers become smarter at targeting organizations, the cyber risk increases at an organization. The potential for failure of your information technology systems can leave your organization vulnerable to a security incident. Conducting a SOC for Cybersecurity examination will provide you and your clients the evaluation you need to ensure your cybersecurity risk management program is working effectively to safeguard your company’s assets.
For more information regarding SOC for Cybersecurity, contact us or call 1-888-702-5446 to have an experienced assessor answer your questions.