We’re happy to offer news, updates, and thought leadership to our clients, friends, and subscribers. Please feel free to look around and subscribe to whatever topics you’re interested in using the form to the right.

SOC for Cybersecurity:  Breaking Down the Report

by | Apr 17, 2020 | For-Profit Entities, Healthcare, Not-for-Profits, Professional Services, SOC Suite

Cyber Security Concept. The Word of Red Color Located over Text of White Color.In the previous blogs in this series, several aspects of SOC examinations were explored.  This portion will include an in depth look at the contents of a SOC for Cybersecurity report.

SOC for Cybersecurity reports are generated based on a review of the organization’s entity-wide cybersecurity risk management program.  Our team works directly with your firm’s management to identify and proactively address security risks.  The report is comprised of three sections:

Management’s Assertion

Management provides an assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. The assertion addresses description criteria and control criteria.

 Independent Auditor’s Report

The CPA’s opinion is expressed about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Management’s Description

The description of the entity’s cybersecurity risk management program.  This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.

One of the most important attributes of the SOC for Cybersecurity report is the fact the report distribution is not limited.  This circumstance causes the report to contain less detail than other reports, such as a SOC 2 that is restricted and contains a great deal of detail.  The SOC for Cybersecurity report is designed to provide insight without containing enough information to put the organization at risk.

Nothing is more valuable to an organization than its ability to function. This portion should give you an idea of how the SOC examination process works and how long it takes.  Watch for our upcoming posts which will take a detailed look at each SOC examination:

‘SOC 2:  Breaking Down the Report’


Subscribe to Email Updates

Posts by Topic

Skip to content