Two IT Professionals in Control Room

Quantifying your cyber risk requires a common language. A new SOC report specific to cybersecurity offers that framework.

Preventing Cybercrime

SOC for Cybersecurity Could be the Answer for Jittery Management

  • Joel Eshleman
  • 1/19/2018

Cybersecurity incidents are becoming more common, targeting even small organizations. Boards of directors, management, and public and private organizations of all sizes are jittery, wondering, “Will we be next?”

Demonstrating that you have processes in place to control these threats and detect breaches can help provide the reassurance that your stakeholders demand.

That’s where System and Organization Controls (SOC) for cybersecurity enters the picture. It’s a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. The guidelines are intended to standardize the underlying language that organizations use to define their cyber objectives and report on their effectiveness.

Developed by the AICPA, the framework should enable all industries to talk about their cybersecurity risk management programs through a common language.

This new SOC for cybersecurity report is issued under Statement on Standards for Attestation Engagements (SSAE) No. 18. If you are familiar with SOC1, SOC2, or SOC3 reports, then you may understand this framework. You may also know the framework as SSAE No. 16 or Statement on Auditing Standards (SAS) No. 70; which preceded SSAE No. 18. Unlike the SOC1 or SOC2, which are restricted to users of the system, the SOC for cybersecurity is a general use report that can be distributed to any interested party.

What SOC for cybersecurity means for you

SOC for cybersecurity looks at risk at a deeper level, examining cyber controls not just as a financial risk, but as a means for understanding whether the controls serve an organization’s cyber and IT objectives.

Testing your controls through this lens can help you assess your cyber risk, validate and benchmark the design of an existing risk program, and/or find (and remediate) the gaps in your program.

How is this program different than SOC2?

There has been some discussion among IT auditors and others in the security field about how SOC for cybersecurity differs from SOC2. How are they similar? The cybersecurity description is prepared by management to respond to the description criteria defined by the AICPA and includes 19 individual criteria statements.

These criteria are different from SOC2, where the description in the report is based on the controls that were implemented to address the trust service criteria.

How we can help

Since it’s voluntary, you may be asking whether you should engage a professional for a cybersecurity assessment. When you view cybersecurity as an enterprise risk management concern, the SOC for cybersecurity program provides a robust reporting framework and related criteria to help you understand your cybersecurity risk, and can give your stakeholders the confidence that you are on top of digital concerns. Furthermore, if cybersecurity breaches keep rising, SOC for cybersecurity (or a similar program) may become mandatory down the road.

We can help you implement a program for SOC for cybersecurity. We understand the framework, your industry, and the hacker mindset, and you will walk away knowing whether your internal controls are performing as expected in managing cybersecurity risks.