A SOC for Cybersecurity assessment consists of three primary components:
1. Management’s Description
SOC for Cybersecurity requires management to provide a description on how the entity identifies its most sensitive information and manages the cybersecurity risks that threaten that information. The management description should also outline the key security policies and processes that the entity has created and put into place to protect the entity’s information assets against those risks.
Management’s Description of its cybersecurity risk management program should include insights in all of the following areas:
- Nature of Business & Operations
- Nature of Information at Risk
- Cybersecurity Objectives
- Factors That Have an Effect on Inherent Cybersecurity Risk (including technologies used, organizational characteristics, significant changes in prior period, etc.)
- Cybersecurity Risk Governance Structure
- Cybersecurity Risk Assessment Process
- Cybersecurity Communications
- Monitoring of the Cybersecurity Program
- Cybersecurity Control Processes
To assist management in effectively and comprehensively defining and describing its cybersecurity risk management program, the SOC for Cybersecurity framework includes detailed Description Criteria that management can use as a basis for developing its description, and that the practitioner performing the assessment can use as a baseline for conducting its evaluation of the entity’s current state.
2. Management’s Assertion
Once a comprehensive description is developed, SOC for Cybersecurity requires management to provide an assertion about the description. In the assertion, management must also note whether or not the controls within the program were effective for achieving the entity’s cybersecurity objectives. In essence, management must assert that its description aligns with the description criteria and that its cybersecurity risk management program control processes were functioning effectively during the period.
3. Practitioner’s Opinion
The final component of a SOC for Cybersecurity report is the CPA’s opinion on management’s description and on the effectiveness of controls within that program. In the opinion, the CPA will indicate whether management’s description of the entity’s cybersecurity risk management program is consistent and aligned with the Description Criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives. This portion of the report is the independent attestation and validation of the entity’s cybersecurity risk management program, and is typically what third-parties and other readers of the report will want to see in order to give validity to the material in management’s description.