How Can My Organization Benefit from SOC 2 vs. SOC for Cybersecurity?

How Can My Organization Benefit from SOC 2 vs. SOC for Cybersecurity?

Michael Thilker, CPA, CITP, Senior Manager
Posted by Michael Thilker, CPA, CITP, Senior Manager on Mar 27, 2020 10:00:00 AM

Cyber Security on the Mechanism of Metal Gears.With every passing day, more headlines emerge about cyberattacks compromising a seemingly endless array of entities. This problem seems as though it is only getting worse as individuals, corporations, and governments find themselves increasingly vulnerable to sophisticated attacks on their data and resources. The paradigm is changing from ‘if’ an entity will suffer an attack, to ‘when’ will the attack happen?

This unknown creates significant risks for an organization not only from the perspective of their own systems and information, but also from data shared with their customers, vendors, and business partners. Below are some questions you should ask yourself to determine if a SOC examination is appropriate for your organization:

  • When your company suffers a cyber-attack, do you know what to do?

If you do not have a current Cybersecurity Risk Management Program in place at your organization, there are two terrific tools that can provide piece of mind when thinking about the questions above: SOC for Cybersecurity and SOC 2. Below are highlights and distinctions between a SOC for Cybersecurity and SOC 2 examination:

                     

SOC for Cybersecurity

SOC 2

   Type of Organization:

Any type of organization

Limited to service organizations

   Scope:

Entity-wide Cybersecurity Risk Management Program

Scope can vary, but is specifically designed to address a service organization’s controls relevant to the systems used to process user’s data

   Purpose of the Report:

Provide information regarding an organization’s Cybersecurity Risk Management Program

Provide system users with information about controls relevant to security, availability, confidentiality, processing integrity, and/or privacy to support evaluation of internal controls relevant to the systems used to process user’s data

   Intended Users:

Management, Board of Directors, investors, customers, and others who might be impacted by the effectiveness of the entity’s cybersecurity risk management program

Management of the service organization and specified parties who have sufficient knowledge and understanding of the service organization and its system

   Responsible Party:

Management of an organization

Management of a service organization

   Report Restrictions:

None – General distribution

Restricted distribution

   Evaluation Criteria:

Any major cybersecurity framework
  • NIST Cybersecurity Framework (CSF)
  • ISO 27001/27002 (2013)
  • AICPA Trust Services Criteria (TSC)

Limited to AICPA Trust Services Criteria (TSC)

   Depth of Report:

Control Matrix not included in final report, but testing is completed as part of the examination (due to sensitivity of the information)

Control Matrix is included in the report (resulting in the report distribution being restricted)

   Cybersecurity Incidents:

Cybersecurity incidents occurring within the reporting period must be disclosed in the report.

Cybersecurity incidents occurring within the reporting period must be disclosed in the report.

 

The type of organization you represent may be the biggest determinant of the SOC examination you pursue. First you should determine whether your company classifies as a service organization. A few examples include payroll processors, Software-as-a-Service (SaaS) providers, medical claims processors, loan servicers, and data centers. If you are a service organization, the SOC 2 is most likely appropriate, but there could be circumstances where both a SOC 2 and a SOC for Cybersecurity are necessary. Non-service organizations cannot obtain a SOC 2 report, but the features of the SOC for Cybersecurity provide a robust report that enables users to easily understand the importance of cybersecurity to the organization and steps taken to mitigate cybersecurity risks.

In order to effectively complete a SOC examination, a team of licensed CPA’s and information technology and security specialists thoroughly investigate your organization’s cybersecurity risk management program and its effectiveness. The team will have the education, experience, and expertise of performing SOC services. Our team will work with your management chain to produce credible and objective analytical results. Our commitment to quality only comes second to our devotion to integrity.

Multidisciplinary teams incorporate Certified Public Accountants (CPA) and certified information security professionals such as Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA) and Certified Information Technology Professionals (CITP®). These certifications are paired with knowledge of relevant IT systems and technology, including mainframes, networking, firewalls, network management systems, security protocols, and operating systems.

SOC reports are the conjunction between the understanding of IT processes and the complexity of internal controls. We employ these proficiencies to assess the management of operating systems, networking, and virtualization software and related security techniques. An SOC examination will thoroughly explore security principles and concepts, software development, incident management, and information risk management. Our team is also delineated by our:

  • Experience with common cybersecurity publications and frameworks (NIST CSF, ISO 27001/27002, 2013 COSO Internal Control — Integrated Framework, COBIT 5, AICPA Trust Services Criteria)
  • Expertise in evaluating processes, control effectiveness, and offering advisory services relating to these matters
  • Proficiency in measuring performance against established criteria, applying appropriate procedures for evaluating against those criteria, and reporting results
  • Strict adherence to service-specific professional standards, professional code of conduct, and quality control requirements
  • Holistic understanding of entity’s industry and business, including whether the industry is subject to specific types of or unusual cybersecurity risks and uses specific industry technology systems

This introduction should give you a general understanding of the SOC for Cybersecurity and SOC 2 examinations and why they are critical tools for operating in today’s business environment.  Watch for our upcoming posts, wherein we will dig deeper into SOC examinations including:

‘What is the ROI of a SOC report?’

‘How Can a SOC Report be Crafted to Meet the Needs of My Organization?’

‘SOC for Cybersecurity:  Breaking Down the Report’

‘SOC 2:  Breaking Down the Report’

Contact Michael

Topics: Not-for-Profits, For-Profit Entities, Professional Services, Healthcare, SOC Suite