SYSTEM AND ORGANIZATION CONTROLS FOR CYBERSECURITY

Cybersecurity is among the top issues currently on the minds of boards of directors, managers, investors, customers and other stakeholders of organizations of all sizes—whether public or private. Managing cybersecurity concerns is especially challenging because even an organization with a highly mature risk management program is susceptible to breaches that may not be detected in a timely manner.

Users need timely, useful information about how organizations are managing these threats and whether organizations have effective processes and controls in place to prevent and detect breaches that could disrupt their business, result in financial losses, or destroy their reputation. SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework that helps organizations communicate about their cybersecurity risk management programs and the effectiveness of program controls and for CPAs to examine and report on such information. It uses a common, underlying language, or framework, for cybersecurity risk management reporting, almost akin to US GAAP or IFRS for financial reporting, to enable all organizations, in all industries, to communicate relevant information about their cybersecurity risk management programs. Use of this common language brings comparability to the disclosures and enhances and complements disclosures based on other commonly used security frameworks, such as NIST or ISO’s 27001, that are in the market today.

A CPA examination report on an organization’s prepared cybersecurity risk management information enhances the trust and confidence that users can place on such information.