SOC for Cybersecurity

SOC for Cybersecurity

To keep pace with an increasing focus on mitigating and managing risk, the AICPA issued a benchmark reporting framework – SOC for Cybersecurity – to effectively assess an organization’s cybersecurity risk management program. The SOC for Cybersecurity examination is focused on two primary areas: (1) a description of the organization’s cybersecurity risk management program and (2) the effectiveness of controls within that program to achieve the organization’s cybersecurity objectives.

The SOC for Cybersecurity extends beyond traditional SOC 2 Reports – which assess controls relevant to the security, availability and processing integrity of systems – to highlight a specific area of risk for firms today – the prevention, detection and response to growing cyber threats.

The SOC for Cybersecurity report includes three different components:

  • Management’s description: A written description of the organization’s cybersecurity risk management program, as outlined by management, with regard to how the organization manages risk and the policies and procedures in place to mitigate said risks.
  • Management’s assertion: An assertion that addresses the effectiveness of the organization’s controls in meeting cybersecurity objectives either at a point in time or for a specified period of time.
  • Practitioner’s report: An opinion attesting to (1) whether the organization’s description aligns to the description criteria and (2) if the controls in place are effective in meeting the specified cybersecurity goals. 


The need for advanced cybersecurity controls and, more broadly, a comprehensive risk management program, is one that should resonate with all businesses – regardless of size, location, structure or industry. SOC for Cybersecurity reports are considered ‘general use’ reports, and as such are not restricted to service organizations, but rather, are designed to appeal to any business interested in demonstrating their cyber preparedness to relevant parties, including Boards of Directors, investors, business partners, regulators, etc.  


The practitioners at MFA are well-versed in assessing a firm’s internal controls and providing proactive guidance to combat growing security threats and mitigate both internal and external cyber risks. To learn more about our SOC for Cybersecurity examinations, please contact the MFA team today. 





Joseph Landry Partner – IT Advisory Practice (978) 557-5353
Lisa Whittemore Partner – Performance & Controls Practice (978) 557-5308


Contact Us