Driving to a well established Cyber Security standard is a priority for most organizations today. While it drives to a high confidence in the security posture of an organization it also provides a valuable sense of confidence for clients, investers, boards and prospective clients. The AICPA SOC for Cybersecurity provides an independent organization-wide assessment of security controls. The SOC 2 provides insight into specific critical systems on the same evaluation criteria and is well suited for a service organization.

The SOC 2 assessment is based on the AICPA Trust Services Criteria while the SOC for Cybersecurity may be based on the Trust Service Criteria or a similar standard such as the NIST CSF or ISO 27001

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

Typically an organization will undertake an assessment of multiple criteria that represent the risk to their business most completely. The resulting assessment report help meet the expectations of users that need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

These reports can drive

• Effective organization oversight
• Internal Governance and Risk Management
• Support regulatory oversight
• Third party management

Types of reports

Type 1: Management’s description of a service organization’s system and the suitability of the design of controls

Type 2: report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls

SOC 2® is a registered trademark of AICPA