What is SOC for Cybersecurity and How It Can Help You (and Your Vendors)

Back in the days when the American frontier was still expanding westward, that expansion happened piece by piece.

At first, a settlement might have featured exactly one structure, and that place was where everyone went for everything. Then, as time passed, more and more buildings would pop up–each with their own specific purpose–which allowed settlers to actually direct their business to what they needed or wanted especially, rather than just returning to the general store each time.

At first, they had to settle for what they had, but as things progressed, frontiersmen could better take care of every worry through a specific professional that offered specialized care. The same is true for compliance, but also particularly for the SOC standard.

One of its latest evolutions is SOC for Cybersecurity, created to help organizations particularly worried about cyberattacks. Cybercrime is reportedly up 600% due to this global pandemic we’re in, but it’s been a steadily growing problem for years. As you may know, suffering a data breach means you also suffer extra mitigation costs, but more critically, you lose the trust of your customer.

That’s something you absolutely need to avoid, and SOC for Cybersecurity can help you do that.

You’ve heard of SOC 2 and most likely ISO 27001, but SOC for Cybersecurity is still pretty new in the compliance landscape. You might be asking, “Do I really need this examination when there are many other proven options out there?”

Like the frontiersman who upgraded from getting their goods at the general store to getting hides from hunters and produce from farmers, let us convince you that this specialized examination will help protect you against cybercriminals in a way other initiatives do not.

In this article, we’ll outline exactly what SOC for Cybersecurity is, a baseline on its criteria, and why you need it. At Schellman, we have been providers of SOC services and its predecessor for close to two decades now, which has meant we’ve been at the forefront of these new developments in this area as they’ve happened, and SOC for Cybersecurity is an important one.

Let us explain why. With this information in hand, you’ll understand how this particular examination can help you mitigate cybersecurity risk, help you better protect your customers’ information, and give yourself some added assurance against these threats as well.

What is SOC for Cybersecurity?

Similar to its sibling attestations within SOC, the American Institute of CPAs (AICPA) is responsible for SOC for Cybersecurity. In 2017, they responded to a marketplace that was becoming more and more concerned with cyberattacks with the release of a new Cybersecurity Risk Program examination.

The introduction of this new examination also redefined SOC reports. When it previously stood for Service Organization Controls, now the term represents System and Organization Controls.

Where SOC was previously limited to evaluation of only said service organizations, a door has been opened. Now, other types of organizations who didn’t previously qualify as a “service organization” can undergo this examination of their internal controls against a set of SOC requirements.

In fact, SOC for Cybersecurity is the first SOC examination developed specifically for other organizations.

Probably because we’re all pretty concerned with cybersecurity, no matter what we’re doing. You know what we mean–everything is pivoting to digital and online marketplaces, so there's increased consumer weariness regarding which organizations can be trusted with their sensitive information. You want to be one of the ones they have confidence in, and there’s no better way to validate your cybersecurity risk management program than with an independent validation.

That’s what SOC for Cybersecurity can do for you, and now it doesn’t matter if you’re a law firm, a consulting firm, or Google. SOC for Cybersecurity can help protect everyone.

It offers a structured approach to implementing security controls that are efficient, measurable, and most importantly, mitigate that worrying cybersecurity risk. By going through with an examination of these controls, you’ll get an independent report on the effectiveness of these controls–that’s invaluable if you’re looking to assert a strong security posture to your marketplace.

What are the Criteria for SOC for Cybersecurity?

So how does it do that, you’re wondering. What makes this different from say, a SOC 2?

The AICPA developed two complementary sets of criteria as part of this new examination:

  • Description Criteria: You’ll have to provide a narrative description of your current cybersecurity risk management program as well as your security approach. These are not controls–rather, the AICPA set requirements for what must be included in your description.

Your auditor will examine that your cybersecurity risk management program meets this criteria during your examination.

Things you will need describe:

  1. Nature of business and operations
  2. Nature of information at risk
  3. Cybersecurity risk management program objectives
  4. Factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the cybersecurity risk management program
  9. Cybersecurity control processes
  • Control Criteria: You will choose this–a baseline of criteria to measure the effectiveness of your own controls against. Interestingly, there are no “new” controls for SOC for Cybersecurity. To choose your ideal baseline, you can use one of several options, including
    • SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality;
    • NIST Critical Infrastructure Cybersecurity Framework; or
    • ISO 27001/27002, among others.

It doesn’t matter which control criteria you choose to model your cybersecurity on–your assessor will examine how close or how far from the mark you are from this reference point.

Do You Need SOC for Cybersecurity?

Let’s not beat around the bush–yes. What solid cybersecurity really requires is constant vigilance, but having an independent expert come in and specifically assess what you’re doing in this area can provide you with:

  • Independent Validation of Your Diligence Regarding Cybersecurity: Customers, partners, investors, and internal stakeholders don’t just have to take your word for it.
  • An Advantage Over Your Competition: SOC for Cybersecurity is still a relatively new examination–how many of your rivals will be able to hand a report specifically affirming their cybersecurity practices? These reports are for general use, so you can distribute them at your discretion with no restrictions.
  • A Better Position Against Data Breaches: A SOC for Cybersecurity report doesn’t just affirm to those outside your organization that you’re doing all the right things. By asking you to describe everything we noted above, it can also help everyone within your organization to understand what you’re doing.

Leaving that aside, here’s another take.

More and more, there’s reliance on third parties within the digital supply chain, and SOC for Cybersecurity can help you get a higher level of assurance that your vendors’ cybersecurity risk posture is in alignment with your expectations.

What’s that? “Leverage it from a vendor?”

That’s right–if you still aren’t convinced this framework is necessary for you, perhaps you should instead request one from your business partners and vendors. You can do that now, thanks to that aforementioned redefinition of SOC.

SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates–that means your suppliers that may have escaped any compliance obligations before could be on the hook if you’d like them to be.

Moving Forward with Your SOC for Cybersecurity Examination

We’re all feeling it–the situation with cyber threats is more precarious now than perhaps ever. We’re all perpetually worried about attacks capable of disrupting our business operations and upsetting our customers. But SOC for Cybersecurity represents a workable solution to that anxiety–if the first rule in any fight is to protect yourself at all times, this new examination can help you do that.

Amidst a sea of compliance initiatives that are available for your pursuit, this one is still pretty new. And while it may seem highly specialized, now you know how it can both your own organization directly and your chain of vendors.

As you weigh your options, you may still have some questions about this particular examination or others. We’re happy to speak with you to answer those and alleviate any other concerns you may have regarding this brand of compliance.

If you’d like to instead continue your research, read our articles to better understand the entire spectrum of SOC services that stand to benefit you. Their information will help you find the right fit for your organization and help set conditions for your eventual talks with your service auditor.

About the Author

Jordan Hicks

Jordan Hicks is the Content Manager at Schellman. In addition to maintaining Schellman's editorial calendar and its relevant processes, she is also responsible for the editing and revising of all written copy within the firm, as well as creating original content for publication.

More Content by Jordan Hicks
Previous Video
SOC 2 vs SOC 3 - Either, Neither, or Both?
SOC 2 vs SOC 3 - Either, Neither, or Both?

Next Article
SOC 2 vs. ISO 27001: What are the Differences?
SOC 2 vs. ISO 27001: What are the Differences?

SOC 2 and ISO 27001 are both well-respected and popular compliance initiatives, but which is right for you?...