About SOC for Cybersecurity

Cybersecurity attacks compromise critical data of corporations, governments, not-for-profits and private companies. With high-profile attacks on the rise, the American Institute of Certified Public Accountants (AICPA) issued the SOC for Cybersecurity Reporting Framework. Using it, organizations can communicate pertinent information regarding their cybersecurity risk-management efforts and educate stakeholders about the systems, processes and controls they have in place to detect, prevent and respond to breaches.

Purpose and Use

A SOC for Cybersecurity report provides organizations with objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack, enabling stakeholders to make informed decisions.

The report can be distributed to an organization’s senior management, board of directors, analysts and investors, and business partners.

Reporting Levels

The AICPA determined that three separate types of reports were needed to address the information security reporting needs of organizations.

  • Entity — Provides transparency to key elements of the entity’s cybersecurity risk management program.
  • Service provider — In addition to entity-level benefits, provides sufficient, detailed information to address the user vendor risk management needs.
  • Supply chain — In addition to entity-level benefits, provides sufficient, detailed information to address the user’s supply chain risk management tools.
Components of the Report
  • Management’s description — The description of the entity’s cybersecurity risk management program.
    This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.
  • Management’s assertion — Management provides the assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. The assertion addresses description criteria and control criteria.
  • Practitioner’s opinion — A CPA’s opinion on the description of the entity’s cybersecurity risk-management program and the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
Who Needs a SOC for Cybersecurity Report?

A SOC for Cybersecurity examination may be performed for any type of organization, regardless of size or industry. This may include lenders, investors, analysts, insurance providers, and regulators. If you’re looking to minimize your organization’s risk, the SOC for Cybersecurity may be right for you.

Benefits of a SOC for Cybersecurity Report

Most cybersecurity experts agree that regardless of an organization’s size, a breach is not a matter of if, but when. Be proactive in ensuring your security controls and protecting your business interests with a SOC for Cybersecurity report. Benefits include:

  • Increased transparency and assurance about cybersecurity program effectiveness
  • Elevated stakeholder confidence in an organization’s preparedness
  • Ability to promote internal operational efficiency
Did You Know?

70% of IT and security professionals believe that cybersecurity threats to their organization are growing, and almost 90% have faced at least one attack on their secure systems.
— 2015 Aspen Institute and Intel Security Report

Now is the time to assess the effectiveness of your organization’s cybersecurity risk-management program.
No matter your company size or industry, BARR can help increase transparency and confidence for your stakeholders — and implement a scalable, flexible framework as your business grows.

Types of SOC for Cybersecurity Reports

Type 1 Report

The SOC for Cybersecurity Type 1 Report (referred to as a point-in-time report), includes a description of a service organization’s system as well as verifies whether internal controls described by a service organization are suitably designed to meet specified control objectives. The Type 1 report reflects your organization’s controls as of a specific date in time and is typically utilized for first-time issuers as pre-cursor to a Type 2 report.

Type 2 Report

The SOC for Cybersecurity Type 2 Report (referred to as a specific point in time report) provides the same information as the Type 1 report, but also includes a management assertion and an auditor’s opinion on the operating effectiveness of your controls. This type of report reflects your organization’s controls over the course of a specific review period.

Why BARR for SOC Reporting

  • BARR’s SOC clients report services lead to a 70% reduction in customer compliance questionnaires
  • SOC clients spend 75% less time spent on internal resources needed to pass audit
  • 100% referral and satisfaction rate from clients
  • Proven practical, adaptive approach that simplifies SOC reporting processes
  • Team members serve on task forces responsible for developing SOC reporting standards
  • Competitive, fixed rates to accommodate growing enterprises

Recent Blog Posts

[Webinar] Who Holds the Key to Compliance in the Cloud?

| Cloud Computing, Compliance Updates, Federal, Healthcare Security, ISO27000, News, PCI DSS, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

YOU’RE INVITED! COMPLIMENTARY WEBINAR Compliance In The Cloud: Shared Responsibility, Singular Accountability Wednesday, May 16, 2018  ■  2:00 PM EST BARR Advisory is pleased to be the guest presenter at this month’s…

Join Us at the 2018 North America CACS Conference

| Cloud Computing, Compliance Updates, Federal, Healthcare Security, ISO27000, News, PCI DSS, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

Meet us in Chicago for the 2018 North America Computer Audit, Control and Security (CACS) Conference on April 30 – May 2. Join BARR Advisory Principal Brad Thies as he…

Union Station skyline, Kansas City

5 Things to Know About BARR Advisory

| Cloud Computing, Compliance Updates, News, Risk Management, SaaS, SOC Reporting, Vulnerability Management | No Comments

At BARR Advisory, we exist to simplify the path to security and compliance for a more secure world. We empower innovative technology and cloud service providers to anticipate, navigate and…

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.