Prove your creditability
through SOC Certification

SOC FOR CYBERSECURITY

A SOC for Cybersecurity examination provides an opinion on the design and operating effectiveness of controls within a Cybersecurity Risk Management Program. This Program is defined as the policies, procedures, and controls designed to protect information and systems from security events through the execution of timely detection, response, mitigation, and recovery activities. Similar to a SOC 2 examination, a Type I or Type II can be performed and can include one or more trust service criteria. Organizations can also use numerous frameworks to develop their Cybersecurity Risk Management Program.

The AICPA’s guide on Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (the cybersecurity guide) is used in performing a SOC for Cybersecurity examination. The AICPA defines a Cybersecurity Risk Management Program as the “policies, procedures, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives; and to detect, respond, mitigate, and recover from security events that are not prevented in a timely manner” (AICPA). Description criteria for a SOC Cybersecurity examination is categorized into nine sections:

  1. Nature of business and operations
  2. Nature of Information at Risk
  3. Cybersecurity Risk Management Program objectives
  4. Factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the Cybersecurity Risk Management Program
  9. Cybersecurity control processes


SOC for Cybersecurity, Type I Examination

A Type I examination provides an opinion on whether the description of the Cybersecurity Risk Management Program system fairly represents the design of the controls in place to meet service commitments and system requirements for a Cybersecurity Risk Management Program. A SOC for Cybersecurity Type I examination is performed at a point in time. The distribution of a SOC for Cybersecurity, Type I report is restricted.


SOC 2, Type II Examination

A Type II examination provides an opinion on whether the description of the Cybersecurity Risk Management Program is fairly represented and whether the controls designed are operating effectively to meet service commitments and system requirements for the Cybersecurity Risk Management Program. A SOC for Cybersecurity Type II examination is performed over a period of time called a service period. The distribution of a SOC for Cybersecurity, Type II report is restricted.

SOC for Cybersecurity Benefits

  • Work with an expert to gain valuable insight into cybersecurity risk management best practices and regulations
  • Demonstrate your cyber resiliency through SOC certification for your Cybersecurity Risk Management Program

To learn more about our SOC for Cybersecurity services reach out and speak to a SOC2 Services expert today!