What is SOC for Cybersecurity?

Recognizing that cybersecurity is not just an IT problem; it’s an enterprise risk management problem that requires a global solution, the AICPA introduced a cybersecurity risk management reporting framework called System and Organization Controls (SOC) for Cybersecurity to help organizations communicate the effectiveness of their cybersecurity risk management program. SOC for Cybersecurity is an examination engagement performed in accordance with the AICPA’s attestation standards on an organization’s cybersecurity risk management program. The cybersecurity risk management examination report includes management’s description of the organization’s cybersecurity risk management program, management assertion, and the auditor’s report (opinion letter).

Unlike the other SOC attestations, SOC for Cybersecurity is for ANY type of organization. While the traditional SOC reports are only intended for businesses defined as “service organizations,” the new SOC for Cybersecurity is applicable to all entities. Additionally, the SOC 2, the SOC for Cybersecurity is not a restricted use report, so organizations are able to utilize a SOC for Cybersecurity report to communicate their security and cybersecurity risk management efforts to a larger audience – including the board of directors, investors, regulators, and prospective customers.

What are the Main Differences Between a SOC 2 and SOC for Cybersecurity?

The four key differences in a SOC 2 examination and a SOC for Cybersecurity include:

  • The purpose and use of the report,
  • The audience,
  • Subject Matter
  • Report types, and
  • How subservice organizations are treated.

Purpose and Use

A SOC for Cybersecurity report communicates information regarding an organization’s cybersecurity risk management efforts, which gives the report readers added assurance over an organization’s risk management process. A SOC 2 is used by service organizations only, needing to validate their product or services to their customers related to information and security processes. A SOC 2 report communicates information about their internal controls relevant to information security.


SOC for Cybersecurity is a general user report and is designed to be used by anyone whose decisions are directly impacted by the effectiveness of an organization’s cybersecurity controls. A SOC 2 is more restrictive as its intended for an audience with a prior understanding of the system, and the Trust Services Criteria, such as the user entity of the services.

Subject Matter

The contents of a SOC for Cybersecurity report and SOC 2 report have a similar structure, but different subject matter. Each report contains management’s description, management’s assertions, and the auditor’s opinion. In a SOC for Cybersecurity report, each of these components will be related to the organization’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. In a SOC 2 report, each of these components will be related to the service organization’s system and the effectiveness of controls as the relate to the Trust Services Criteria.

The main difference to remember between SOC for Cybersecurity and SOC 2 is the reporting on a cybersecurity risk management program versus a system and the Trust Services Criteria.

Report Types

There are two types of SOC 2 reports, a Type 1 and a Type 2 report. A Type 1 report is an attestation of the fairness of the presentation of the description of the system, and the design of a service organization’s controls. The Type 1 report provides assurance as of a point in time (audit date). A type 2 report is an attestation that includes the components of the Type 1 report, but also includes the auditor’s tests of the design and operating effectiveness of controls over a specified period of time (audit period).

The SOC for Cybersecurity has a similar report choice but they are designated differently. The ’Type 1’ version of the SOC for Cybersecurity is named the design-only examination, while the standard SOC for Cybersecurity tests both the design and operating effective of controls, by default (similar to a SOC 2 Type 2).

Subservice Organizations

In a SOC 2 report, an organization can choose to include or carve out certain third parties, known as subservice organizations, from the scope of the report. In a SOC for Cybersecurity engagement, organizations are not able to delegate control responsibilities to third parties. Instead organizations are responsible for all controls within the risk management program. This means that if an organization is using third parties for controls within its program, the organization must include the third party and their associated controls within the scope of the audit.

Additionally, when evaluating the effectiveness of the controls within the organization’s risk management program, the auditor must conclude on whether the organization’s monitoring controls over the processes and controls performed by third parties are effective to achieve the organization’s cybersecurity objectives.

Therefore, the organization being accessed should have clear and formal monitoring controls over third parties.

What Does the Process Look Like?

The AICPA’s Assurance Services Executive Committee (ASEC), through its Cybersecurity Working Group developed a set of benchmarks, known as description criteria, that organizations can use as guiding principles to define their cybersecurity objectives and design a corresponding cyber risk management program to meet those objectives. The common language established by the framework standardizes the codification and communication of existing cyber policies, procedures and controls, increasing transparency inside and outside the organization. At the same time, the flexibility of the AICPA risk management framework enables companies to account for nuances and include industry-specific considerations or additional criteria.

Readiness Assessment & Gap Analysis

The framework can also be used to benchmark the current state of an organization’s cyber program. A SOC for Cybersecurity Readiness Assessment can help you organization identify deficient or insufficient controls, policies and procedures, and quantify cyber risk against a standard set of criteria. This gap analysis can be used to develop remediation strategies or reprioritize cyber resources. For organizations considering a SOC for Cybersecurity attestation engagement, a readiness assessment is key to understanding their level of preparedness and preemptively addressing any issues that could result in a qualified opinion from the auditor.

Independent Cyber Risk Examination

An independent cyber risk examination can be used to provide an unbiased, third-party assessment of the design and operating effectiveness of internal controls. An independent cyber risk assessment that meets the rigors of SOC attestation provides a higher level of assurance to management and the board, as well as interested outside parties.

The AICPA has developed a set of benchmarks known as description criteria, that are used by management, when preparing a description of an organization’s cybersecurity risk management program, and used by auditors when evaluating that description, in connection with services performed on an organization’s cybersecurity risk management program. For a SOC for Cybersecurity attestation, the auditor expresses their opinion on whether the description presented is in accordance with the description criteria.

The description criteria for a SOC Cybersecurity examination are categorized into the nine sections below:

  1. Nature of business and operations
  2. Nature of information at risk
  3. Cybersecurity risk Management Program objectives
  4. Factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the Cybersecurity risk Management Program
  9. Cybersecurity control processes

Alchemi Advisors Bring Expertise, Add Value

In today’s world, information systems are incredibly interconnected, but this comes with a greater level of complexity and risk. Who you are, what you do, and what information you possess can make your organization a target for a cyber attack. Undergoing a SOC for Cybersecurity audit is a proactive way to demonstrate the effectiveness of and commitment to your cybersecurity risk management efforts. SOC for Cybersecurity reports can also help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid the consequences of a cyber attack, and most importantly: assure clients that their information is protected.
As with any business and technology journey it’s important to know where an organization’s current state, the path forward, and the necessary resources. The pressures of everyday operations and resource constraints preclude a standards-based, more systematic approach. By partnering with experts versed in the cybersecurity landscape, you organization will take an essential step to understand and build a roadmap to achieve a secure IT environment that will meet stakeholder expectations. Alchemi Advisory Group has the expertise and the experience to assist your organization in achieving cybersecurity goals.


Don’t get Tangled Up

Let Us Help Bring Order to Your Compliance Chaos



4101 McEwen Road
Suite 205
Dallas, TX 75244
Phone: (888) 590-1618
Email: info@thealchemigroup.com