SOC for Cybersecurity
Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.
To address this market need, the AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations' efforts.
CPAs
Provides information to CPAs on understanding and performing engagements on an organization’s cybersecurity risk management program.
Users
Provides users (senior management, boards of directors, analysts, investors & business partners) with useful information for decision-making about an organization’s cybersecurity risk management program
Organizations
Provides organizations with a framework for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.
Introduction to the AICPA's Cybersecurity Risk Management Framework [Video]
The AICPA’s new cybersecurity risk management reporting framework helps organizations communicate about and CPAs report on cybersecurity risk management programs. Learn more about the framework in this video featuring Sue Coffey, CPA, CGMA, AICPA executive vice president for public practice.
SOC for Cybersecurity Resources
- SOC for Cybersecurity Brochure
- Communications of Cybersecurity Incidents: Comparison between SEC Release 33-10459 and the AICPA's cybersecurity risk management framework
- Cybersecurity Risk Management Oversight: A Tool for Board Members
- Cybersecurity Risk Management Reporting Fact Sheet
- Background information about the SOC for Cybersecurity engagement and related approach
- Mapping of the 2017 Trust Services Criteria to Extant 2016 Trust Services Principles and Criteria
- Mapping of the Trust Services Criteria to NIST 800-53
- Illustrative Cybersecurity Risk Management Report
- Whitepaper - SOC 2® Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions
- Private Companies Practice Section (PCPS) Cybersecurity Toolkit
- Hacking the Cyber Threat A Cybersecurity Primer for Law-Enforcement Leaders and Executives
For additional resources visit the AICPA's Cybersecurity Resource Center
News & Comment Letters
Guides and Professional Standards for Cybersecurity Risk Management Reporting Framework
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.
| Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. |
| Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. |
| Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. |
| Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. |
| Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls. |
Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (description criteria), which are intended for use by management in designing and describing their cybersecurity risk management program, and by CPAs to report on management’s description.
Attestation Standards
This 2017 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.
Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
- Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
- Required representation letters
- More robust risk assessment for examination engagements SSAE
No. 18 supersedes all of the extant attestation standards with the following exceptions:
- AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
- AT 701, Management’s Discussion and Analysis
