Reporting on an Entity's Cybersecurity Risk Management Program and Controls

The stakes have never been higher in cybersecurity.

This guide assists CPAs engaged to examine and report on an entity’s cybersecurity risk management program (SOC for Cybersecurity). It also contains information that can assist management in understanding its responsibilities with respect to the engagement.

Help build trust and transparency for stakeholders with our cybersecurity risk management reporting framework.

This authoritative guide shows you how to implement this framework in accordance with the attestation standards using two distinct but complementary sets of criteria:

• Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Reporting Program. Used by management to provide transparency regarding its cybersecurity risk management program and used by CPAs to report on management’s description.
• 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (With Revised Points of Focus — 2022). Used by management to evaluate the effectiveness of controls and used by CPAs to evaluate and report on the effectiveness of controls.

This edition of the guide includes updates from SSAE No. 20, Amendments to the Description of the Concept of Materiality, and SSAE No. 21, Direct Examination Engagements.

Key Topics

• Interpretive guidance on performing and reporting on the cybersecurity risk management examination
• Illustrative examples of the three components of a cybersecurity risk management examination report: management’s description, management’s assertion, and the practitioner’s report

Who Will Benefit

• CPAs looking to support clients' cybersecurity efforts
• CPAs engaged to perform SOC for Cybersecurity examinations
• Management of an entity looking to issue a SOC for Cybersecurity report