SOC for Cybersecurity

A new cybersecurity attack is announced almost every day in the media.  Nation states, hackers, organized crime,and malicious insiders are attacking entities because of who they are, the information they possess, and the services they provide.  The attacks can disrupt a business, cause significant economic hardships and even bankrupt an entity.  Victims include banks, retailers, government agencies and individuals.

Because of these attacks and the increasing pressure by the public, cybersecurity has become a top concern for boards of directors and senior executives of many entities, regardless of size or industry.  Cybersecurity is a significant business risk for almost all businesses and management must be able to demonstrate that they are managing cybersecurity threats.  Therefore, cybersecurity risks need to be identified, assessed and managed. It is the responsibility of the business to ensure that cybersecurity risks are addressed.  An effective cybersecurity risk management program provides reasonable, but not absolute, assurance that material breaches are prevented or detected, and mitigated in a timely manner.

About SOC for Cybersecurity

In response to the increase in cyber threats and the increasing public pressure, the AICPA issued the Cybersecurity Risk Management Reporting Framework, a flexible and voluntary framework for entities to take a proactive approach to cybersecurity risk management.  A SOC for Cybersecurity reports on an organization’s enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts to manage cybersecurity risk management program.

A SOC for Cybersecurity provides organizations with a framework for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.

Two Sets of Criteria

The reporting framework for a SOC for Cybersecurity allows for two distinct but complementary sets of criteria for use in the examination.  Management uses the description criteria when preparing a narrative description of the entity’s cybersecurity risk management program.  Management can use the Trust Services Criteria for Security, Availability, and Confidentiality as the control criteria or other criteria such as NIST Critical Infrastructure Cybersecurity Framework and ISO 27001/27002 as the control criteria.

SOC for Cybersecurity Report includes the following:

  • Management’s description of the cybersecurity risk management program.
  • Management’s assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria.
  • Practitioner’s opinion on the description and effectiveness of controls in place to achieve the cybersecurity criteria.

The cybersecurity risk management program objectives that can be assessed include:

  • Availability
  • Confidentiality
  • Integrity of Data
  • Integrity of Processing

Our Approach to Performing SOC for Cybersecurity Engagements

Choosing Smith & Howard as your partner in completing a SOC for Cybersecurity engagement benefits your service organization by:

  • Providing a common framework to effectively communicate information regarding the organization’s cybersecurity risk management program.
  • Providing confidence to users of the system that the organization is appropriately securing information from data breaches and hacking.
  • Developing a competitive advantage against your competitors who are not using a trusted cyber risk management framework.

Our SOC Team is here to help you meet all of your SOC engagement and compliance needs.  Our team has been trained specifically to perform SOC engagements and has the experience, knowledge, and skill to ensure your SOC engagement is seamless.

Back to SOC Overview.

For more information about SOC 2 engagements, please complete the contact form on this page or call Marvin Willis at 404-874-6244.

Questions? Contact Us