Overview of the SOC for Cybersecurity
In 2017 the AICPA published guidance on a new cyber security risk management examination, System and Organization Controls for Cyber Security (SOC for Cybersecurity). This SOC for Cybersecurity examination was created to address the growing need for reporting and attestation over an organization’s cyber security posture.
The SOC for Cybersecurity can be beneficial in providing senior business leaders, owners, investors, clients, and the board of directors with an independent report over the company’s Cyber Risk Management Program. The SOC for Cybersecurity report is intended for general distribution and can be used as a key enabler for sales and marketing teams attempting to streamline the vendor management and due diligence process. In a world where data security and privacy are only increasing in importance, having a SOC for Cybersecurity report could be a key differentiator if not competitive advantage in the marketplace.
Additionally, an attractive feature of the SOC for Cybersecurity is that the examination can be right-sized to fit the needs and posture of your organization – you can leverage what you are already doing for security and compliance and use your major security framework of choice for the examination and report (e.g. ISO 27001, NIST 800-53, CIS CSC, etc.).
SOC for Cybersecurity vs. SOC 2
The SOC for Cybersecurity examination covers an organization as a whole and can assess an organization against any of the major security frameworks, whereas the well-known SOC 2 examination prescriptively evaluates a service organization against the AICPA’s Trust Services Criteria framework and focuses on evaluating the design of controls and operation effectiveness of controls at a Service Organization, which may be scoped as an organization, a business unit within an organization, or even a system within a business unit.
While there are similarities between the two examinations, the purpose, audience, and benefits of obtaining a SOC for Cybersecurity and SOC 2 report are different, and understanding these distinctions is helpful in choosing the right examination for your organization. Below are some of the highlights and distinctions between the SOC for Cybersecurity and SOC 2 examinations.
SOC for Cybersecurity | SOC 2 | |
Scope: | Entire Cyber Security Risk Management Program for an organization | Scoped to a specific service organization, business unit within the service organization, or specific service line(s). |
Baseline for Evaluation: | Can rely on any major security framework (ISO/NIST) | Limited to the Trust Service Criteria (note the 2017 TSC are aligned to COSO) |
Intended Audience: | Broad audience – this is a general use report and may be acceptable/beneficial for many parties | Specific audience – this is a restricted report usually intended for the customers utilizing the service from the service organization |
Third party risk: | Must be addressed in the report – cannot carve out – if a third party has access to company data, they must be included in the report | Can carve out sub-service organizations, but must communicate due diligence and vendor management processes in place |
Sensitive Information: | Does not include the Controls Matrix section because this is very sensitive; audit work is completed but not included in the report | Controls matrix is included in the report and may include sensitive information (thus a restricted report) |
Distribution: | General distribution | Restricted distribution |
Value Proposition – SOC for Cybersecurity
1| Leverage what you are already doing for compliance to obtain an unrestricted report over the Cyber Risk Management of your organization as a whole
2| Unify the approach to security and reporting (if you use ISO 27001 as your security framework, use that framework for your SOC for Cybersecurity Report)
3| Obtain a differentiator in the marketplace by demonstrating security program maturity to prospects
Value Proposition – SOC 2
1| Appropriately scoped, independent restricted report over one or more of the Trust Services Criteria
2| Satisfy client and vendor requirements, streamlining customer onboarding
3| Hallmark of a mature organization that takes the security, availability, confidentiality, processing integrity, and privacy of their system seriously
Which report do I need?
It depends on the goals of your organization, your industry, and what clients and vendors are asking for and willing to accepts. There is potential for larger organizations that there may be a need for both a SOC for Cyber Security and a SOC 2 – one for reporting on the Cyber Risk Management of the organization as a whole and one for reporting over Trust Services Principles specific to one or more service lines.
How can I learn more?
If you have any questions, feel free to leave one below in the comments section, or send us a message via our contact page.
Note: Risk3sixty Compliance LLC is a registered CPA frm that provides independent audit, SOC, and other attestation services.
Thanks for the summary, Christian. I had heard about the new AICPA standard, but the differences between the SOC-2 for the Security Trust Principle and the SOC for Cybersecurity reports (particularly distribution, framework, and controls matrix inclusion) were less obvious in other articles I came across.
Thanks, Chris. We also have a great whitepaper on the topic if you would like it.
Thanks, Christian (H). That would be great. Let me know if you no longer have my GMail.