While there are some similarities between a SOC 2 report and the new SOC for Cybersecurity reports, here are the primary ways these examination reports differ:
The Scope and Intended Audience of the Report
SOC for Cybersecurity addresses an entity’s cybersecurity risk management program (typically at the enterprise level) and is intended for stakeholders interested in an assurance that an entity’s risk management program is designed and operated effectively.
A SOC 2 report is for organizations that provide one or more IT-related services to customers (as a service provider) and is intended to provide those customers with information on the relevant controls at the service organization that is associated with the service.
The Controls Baseline Used for Evaluation
The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria, which is a set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.
The baseline against which a service organization is assessed in a SOC 2 report is one or more Trust Services Criteria, a set of control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems utilized in the services provided.
An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria when designing or assessing its control requirements. However, the Description Criteria must be met and addressed in management’s description. A company may also utilize other security frameworks outside of the AICPA’s Trust Service Criteria as the basis for its cybersecurity risk management program, such as NIST 800-53 or ISO 27001/2.
The Report User & Purpose
The intended user for each report is quite different as the reports serve different purposes and audiences.
SOC 2—SOC 2 reports are restricted use reports intended for people with sufficient knowledge and understanding of the service organization and its system. Often this includes customers who desire assurance that the platform they are using is operated by a set of sufficiently functioning security controls. As a general rule, SOC 2 reports can only be shared with customers of the service organization.
SOC for Cybersecurity—SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and typically are delivered to those who might be impacted by or interested in an entity’s cybersecurity risk management program. Interested parties want confirmation that the company’s cybersecurity efforts are adequately reducing cybersecurity risk. Those who fall into this group include managers, analysts, investors and even customers. A SOC for Cybersecurity report can be shared with anyone inside or outside an organization, at that organization’s discretion.
Treatment of a Subservice Organization
A “subservice” organization is a third-party that is providing one or more capabilities to the entity being assessed that fall within the control scope and/or evaluation criteria for the particular assessment. As such, that third party’s services can have a significant impact on the environment that is being assessed.
SOC 2—In a SOC 2 report, service organizations can either include or carve out a subservice vendor from the scope of the report.
SOC for Cybersecurity—Organizations are responsible for all controls within the risk management program, which means that if an entity is utilizing third parties for controls within its program, the entity must include that third party (and the associated controls) in the scope of its evaluation.
Controls Matrix in the Report
SOC 2—In a SOC 2 report, the full trust services criteria and list of controls mapped to these criteria are included in the report along with the CPA’s test of controls and results.
SOC for Cybersecurity—In a SOC for Cybersecurity, the controls matrix will not be included in the report. While management’s description of its cybersecurity program is included, as well as management’s assertion and the CPA’s opinion on that description, the detailed cybersecurity controls and the results of the test of each control will not be included. Including this type of sensitive information about an organization’s control environment could be detrimental to an organization’s security posture, and could provide an attacker with useful information for leveraging an attack. Therefore, those details are not included in the report.