SOC For Cybersecurity
Cybersecurity threats are on the rise, challenging organizations of all sizes—whether public or private.Talk to an expert
Boards of directors, managers, investors, customers and other stakeholders are pressuring organizations to demonstrate that they are managing cybersecurity threats, and that they have put into place effective cybersecurity risk management programs to prevent, detect and respond to security breaches and other security events.
The AICPA has introduced a Cybersecurity Risk Management Reporting Framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The Reporting Framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.
What is a Cybersecurity Risk Management Program?
What are Cybersecurity Objectives?
SOC for Cybersecurity Engagement Overview
SOC for cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, provides guidance for practitioners engaged to examine and report on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users. The cybersecurity risk management examination report includes the following three key components:
In a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users. The cybersecurity risk management examination report includes the following three key components:
- Management’s description of the entity’s cybersecurity risk management program.
- Management’s assertion.
- Practitioner’s report.
Who are Potential Users and what are the Benefits?
Senior Management, Board of Directors, Analysts and Investors, and Business Partners are all potential users of a cybersecurity risk management examination.
A cybersecurity risk management examination report provides:
- Senior management with information about the effectiveness of an organization’s cybersecurity risk management program.
- Board members with information about the cybersecurity risks the entity faces and the program that management has implemented to help them fulfill its oversight responsibilities.
- Analysts and investors with information intended to help them understand the cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the entity’s value and stock price.
- Business partners information about the entity’s cybersecurity risk management program as part of their overall risk assessment.
Why Moore Colson?
Moore Colson has the knowledge, experience and the depth to help you accomplish your goals. Given our experience in working with companies under similar engagement parameters, we are confident that Moore Colson will deliver.
Moore Colson Can Help!
Moore Colson has the knowledge, experience and the right team of advisors to assist your company with:
- Readiness Services: Moore Colson can use the SOC for Cybersecurity criteria and guidance to assist you with implementing or strengthening your cybersecurity risk management programs.
- Attestation Services: Moore Colson can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
Contact Us.