SOC for Cybersecurity

SOC for Cybersecurity reports provide report users assurance about an organizations ability to protect against cybersecurity threats.  Whereas a SOC 2 or 3 is for "Service Organizations" and applies to a specific system of the serivce organizaton.  A SOC for Cybersecurity assessment is an "entity-wide", independent review, of the entity's cybersecurity risk management program. 

​

SOC for Cybersecurity reports provide report users (stakeholders, investors, business partners, management, etc.) valuable information about the entity's ability to manage cybersecurity risk.  As such, the SOC for Cybersecurity report may build trust and confidence to report users regarding the entity.

​

Unlike the SOC 2 report, which is considered a "restricted use" report and should only be shared with interested parties of the service organizations' system.  A SOC for Cybersecurity report is intended for a broad range of users and may be deemed a "General Use" report.  The key sections within a SOC for Cybersecurity Report include:

​

1. Description of the entity's cybersecurity risk management program.

2. Management's written assertion regarding design and effectiveness of controls within the risk management program.

3. An independent CPA's opinion of the description and controls of the risk management program.

​

Similar to a SOC 2 examination, the SOC for Cybersecurity report uses the trust service criteria (TSC) for the control criteria.  To learn more on the key distinctions of a SOC 2 and SOC for cybersecurity examination, click on the following link to download the AICPA whitepaper "Understanding the Key Distinctions".

​