Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)

Cybersecurity assessment

The AICPA has recently developed a cybersecurity risk management reporting framework that is being added to the suite of System and Organization Controls (SOC) report offerings. This framework will assist organizations in communicating relevant and useful information about their cybersecurity risk management program.

Companies need to be able to evidence that they can manage cybersecurity threats and have processes and controls in place to monitor, detect, respond and recover from breaches and security events. With a SOC for Cybersecurity Report, companies will be able to demonstrate to clients what they are doing to address cybersecurity.

Why Assess Cybersecurity Risk?

Cyber attacks have become increasingly more organized, persistent and more profitable for the attackers. Because there have been successful cybersecurity attacks on corporations of all sizes and throughout the world, there is an increased focus on cybersecurity by business owners, customers, vendors, business partners, regulators, etc.

Companies are now evaluating the effectiveness of their cybersecurity risk management programs and have been looking for ways to communicate the results of these examinations to interested parties. Therefore, the Assurance Services Executive Committee (ASEC) Cybersecurity Working Group within the AICPA has formalized an external reporting framework on cybersecurity risk management. This allows for external reporting that can be communicated by a company that provides details about their cybersecurity risk management program.

What does SOC for cybersecurity cover?

What Does SOC for Cybersecurity  Cover?

The cybersecurity risk management examination is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards) within Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

The cybersecurity risk management engagement will include a description of the entity’s cybersecurity risk management program and the effectiveness of the control within that program to achieve the entity’s cybersecurity objectives. A design-only cybersecurity risk management examination may also be performed that only covers the description and suitability of the design of controls (this is what most of us know as a Type I, or a point in time report).

Similar to the SOC 2, the SOC for Cybersecurity will include TSC (Trust Services Criteria) 100 criteria (see this resource for additional detail on TSCs). A SOC for Cybersecurity examination will include the security, availability and confidentiality TSCs. The examination will not cover the privacy or processing integrity TSCs, nor will it provide an opinion on compliance with laws and regulations.

The AICPA has recently mapped the TSCs to the COSO framework, though there is flexibility within the SOC for Cybersecurity examination, so there would be little impact if an organization is using another framework (i.e. NIST, ISO, ITIL, etc.) vs. COSO.

The AICPA outlines the criteria for SOC for Cybersecurity here. This is intended for use by management in designing and describing their cybersecurity risk management program, and can also to be used by audit firms as guidance when completing a SOC for Cybersecurity examination on management’s description.

The format of the report is similar to what many organizations and CPA firms are used to for SOC reports, though there are some differences. The SOC for Cybersecurity report will include three sections:

  • Section 1: Assertion of the Management of XYZ Company: This section will include whether management of the organization has presented the description in accordance with the description criteria and whether they believe the controls within the organization’s cybersecurity risk management program were effective to achieve the organization’s cybersecurity objectives based on the control criteria.
  • Section 2: Independent Accountant’s Report: This section will include an opinion from the independent auditor on whether the description is presented in accordance with the description criteria and whether the controls within the organization’s cybersecurity risk management program were effective to achieve the organization’s cybersecurity objectives based on the control criteria.
  • Section 3: XYZ Company’s Description of Its Cybersecurity Risk Management Program: This section will include how the organization identifies its sensitive information and systems, the ways in which it identifies and manages cybersecurity risk, and a summary of processes implemented and operating to protect the information systems against risk.

Who Should Get a SOC for Cybersecurity Report?

Any organization that is being asked about their cybersecurity program is a good candidate for a SOC for Cybersecurity examination. Specifically, if a client or customer requires evidence of measures being taken for cybersecurity, an organization can evidence this by providing a SOC for Cybersecurity report.

Additionally, vendors, business partners, regulators and even boards or audit committees may request or require a formal report on a company’s cybersecurity risk management program.

In both of these cases, a SOC for Cybersecurity report would be a formal and consistent way to communicate results to increase users’ confidence.

Who can issue SOC reports

Who Can Issue SOC for Cybersecurity Reports?

Just like other SOC reports, a Certified Public Accounting (CPA) firm has to issue the SOC for Cybersecurity reports. While a CPA firm is required to issue the SOC for Cybersecurity reports, it is imperative that there be auditors with technical expertise included on the team completing the examination for the CPA firm.

While CPA firms bring an independent, objective, and skeptical mindset, strong analytical skills and IT security/cybersecurity expertise is a must when completing these examinations. When an organization is selecting a CPA firm to complete their examination, they should inquire about the IT security/cybersecurity expertise of the team members.


In summary, SOC for Cybersecurity is one of the new examinations added to the suite of SOC examinations guided by the AICPA. This examination is an excellent option for any organization that is getting asked about their cybersecurity risk management program and need a formalized way of evidencing and reporting what they are doing to address this risk. These examinations can be completed by a CPA firm.

Please contact Linford & Company to discuss SOC for Cybersecurity or any other SOC examination need.