SOC for Cybersecurity

The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.

The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.

The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.