The AICPA ASEC, through its Cybersecurity Working Group, has developed a set of benchmarks, known as description criteria, to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program (description). An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented. This document presents the description criteria.
Applying the description criteria in actual situations requires judgment. Therefore, in addition to the description criteria, this document also presents implementation guidance for each criterion. The implementation guidance presents factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. The implementation guidance does not address all possible situations; therefore, users should carefully consider the facts and circumstances of the entity and its environment in actual situations when applying the description criteria.