To help businesses and organizations report on their cybersecurity risk management efforts, the AICPA's Assurance Services Executive Committee (ASEC) has exposed two sets of criteria for public comment:
In addition to these exposure drafts, you can find a number of other helpful resources including a backgrounder on the AICPA's upcoming cybersecurity engagement, a mapping of the Proposed Trust Services Criteria and the AICPA's input to the Commission on Enhancing National Cybersecurity.
Proposed Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management's description.
Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity's cyber risk management program, or SOC 2® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.