SOC for Cybersecurity:  Breaking Down the Report

SOC for Cybersecurity:  Breaking Down the Report

Michael Thilker, CPA, CITP, Senior Manager
Posted by Michael Thilker, CPA, CITP, Senior Manager on Apr 17, 2020 10:00:00 AM

Cyber Security Concept. The Word of Red Color Located over Text of White Color.In the previous blogs in this series, several aspects of SOC examinations were explored.  This portion will include an in depth look at the contents of a SOC for Cybersecurity report.

SOC for Cybersecurity reports are generated based on a review of the organization’s entity-wide cybersecurity risk management program.  Our team works directly with your firm's management to identify and proactively address security risks.  The report is comprised of three sections:

Management’s Assertion

Management provides an assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. The assertion addresses description criteria and control criteria.

 Independent Auditor’s Report

The CPA’s opinion is expressed about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Management’s Description

The description of the entity’s cybersecurity risk management program.  This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.

One of the most important attributes of the SOC for Cybersecurity report is the fact the report distribution is not limited.  This circumstance causes the report to contain less detail than other reports, such as a SOC 2 that is restricted and contains a great deal of detail.  The SOC for Cybersecurity report is designed to provide insight without containing enough information to put the organization at risk.

Nothing is more valuable to an organization than its ability to function. This portion should give you an idea of how the SOC examination process works and how long it takes.  Watch for our upcoming posts which will take a detailed look at each SOC examination:

‘SOC 2:  Breaking Down the Report’

Contact Michael

Topics: Not-for-Profits, For-Profit Entities, Professional Services, Healthcare, SOC Suite