Cybersecurity threats are on the rise, challenging organizations of all sizes—whether public or private. Boards of directors, managers, investors, customers and other stakeholders are pressuring organizations to demonstrate that they are managing cybersecurity threats, and that they have put into place effective cybersecurity risk management programs to prevent, detect and respond to security breaches.
To meet that need the AICPA has introduced SOC for Cybersecurity, a solution that builds upon the profession’s experience in auditing system and organization controls. It enables CPAs to examine and report on an organization’s cybersecurity risk management program.
CPAs can use the SOC for Cybersecurity criteria and guidance to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Or, as an organization reaches a state of readiness, an independent CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
SOC for Cybersecurity Engagement Overview SOC for cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, provides guidance for practitioners engaged to examine and report on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, the practitioner opinions on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users. The cybersecurity risk management examination report includes the following three key components:
- Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.
- Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
- Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
SOC for Cybersecurity Resources
Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (description criteria) are used by management in designing and describing their cybersecurity risk management program, and by CPAs to report on management’s description.
Trust Services Criteria for Security, Availability, and Confidentiality (control criteria), are used by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cybersecurity risk management program.
Pre-Order: AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls used by CPAs engaged to examine and report on an entity’s cybersecurity risk management program
SSAE No. 18, Attestation Standards: Clarification and Recodification (which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements) standards used by CPAs for performing and reporting on an entity’s cybersecurity risk management program in the cybersecurity attestation examination described in the guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls.
Nonattest Services FAQ Document prepared by AICPA Professional Ethics Division staff, this document provides answers to frequently asked questions (FAQs) pertaining to independence for Non attest Services covering cybersecurity
SOC for Cybersecurity - Key Terms
Difference between Cybersecurity and Information Security
Cybersecurity refers to the processes and controls implemented by an entity to manage cybersecurity risks. Because the processes and controls that address cybersecurity risks also address the vast majority of the entity’s other information security risks, the terms cybersecurity and information security are often used interchangeably. The main difference between information security and cybersecurity is that information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means (such as printed paper stored in filing cabinets). From a practical standpoint, however, the difference is minor because most entities store, process, use and transmit information electronically. For purposes of the cybersecurity risk management examination, there is no distinction between the two terms. By using the term cybersecurity instead of information security, boards and senior management are acknowledging the new and magnified risks inherent with doing business in cyberspace. Additionally, they recognize that the cyberspace environment is becoming increasingly hostile. The almost daily appearance of new threat actors who exploit the vulnerabilities of cyberspace for criminal or malicious purposes, and their use of new technologies to implement their attacks, increases the risks of operating in cyberspace. Thus, entities have to continually develop more effective and more targeted processes and control to respond to those risks. This requires board members and senior management to think well beyond the traditional IT areas of networks, applications, and data stores.
Cybersecurity Risk Management Program
A cybersecurity risk management program is defined as the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.
Cybersecurity objectives are objectives established by management that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors. For example, a telecommunications entity may have a cybersecurity objective related to the reliable functioning of those aspects of its operations that are deemed to be critical infrastructure, whereas an entity that promotes online dating is likely to regard the confidentiality of personal information collected from its customers as a critical factor towards the achievement of its operating objectives.