SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

SOC for Cybersecurity and How it Can Help You

Cybersecurity Assessments | SOC Examinations

Though cybercrime reportedly rose 600% due to the global pandemic we’re in, it’s been a steadily growing problem for years. As you may know, suffering a data breach means you also suffer extra mitigation costs, but more critically, you lose the trust of your customer. That’s something you absolutely need to avoid, and SOC for Cybersecurity–created to help organizations particularly worried about cyberattacks–can help you do that.

You’ve heard of SOC 2 and most likely ISO 27001, but SOC for Cybersecurity is still pretty new in the compliance landscape. You might be asking, “Do I really need this examination when there are many other proven options out there?”

At Schellman, we have been providers of SOC services and their predecessors for close to two decades now, which has meant we’ve been at the forefront of these new developments in this area as they’ve happened, and SOC for Cybersecurity is an important one. In this article, we’ll outline exactly what SOC for Cybersecurity is, its criteria, and why you need it.

With this information in hand, you’ll understand how this particular examination can help you mitigate cybersecurity risk, help you better protect your customers’ information, and give yourself some added assurance against these threats as well.

What is SOC for Cybersecurity?

Similar to its sibling attestations within SOC, the American Institute of CPAs (AICPA) is responsible for SOC for Cybersecurity, which was introduced in 2017 in response to a marketplace that was becoming more and more concerned with cyberattacks. 

A set of auditing standards designed to help organizations demonstrate their commitment to cybersecurity and provide assurance to their customers and stakeholders that their systems and processes are secure, SOC for Cybersecurity also redefined SOC reports. When it previously stood for Service Organization Controls, now the term represents System and Organization Controls.

Where SOC was previously limited to the evaluation of only said service organizations, a door has been opened. Now, other types of organizations that didn’t previously qualify as a “service organization” can undergo this examination of their internal controls against a set of SOC requirements.

In fact, SOC for Cybersecurity is the first SOC examination developed specifically for other organizations. It offers a structured approach to implementing security controls that are efficient, measurable, and most importantly, mitigate that worrying cybersecurity risk. By going through with an examination of these controls, you’ll get an independent report on the effectiveness of these controls–that’s invaluable if you’re looking to assert a strong security posture in your marketplace.

What are the Criteria for SOC for Cybersecurity?

So how does it do that, you’re wondering. What makes this different from say, a SOC 2?

The AICPA developed two complementary sets of criteria as part of this new examination:

  • Description Criteria: You’ll have to provide a narrative description of your current cybersecurity risk management program as well as your security approach. These are not controls–rather, the AICPA set requirements for what must be included in your description.

Your auditor will examine whether your cybersecurity risk management program meets these criteria during your examination.

 

Things you will need describe:

  1. Nature of business and operations
  2. Nature of information at risk
  3. Cybersecurity risk management program objectives
  4. Factors that have a significant effect on inherent cybersecurity risks
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and the quality of cybersecurity information
  8. Monitoring of the cybersecurity risk management program
  9. Cybersecurity control processes
  • Control Criteria: You will choose this–a baseline of criteria to measure the effectiveness of your own controls against. Interestingly, there are no “new” controls for SOC for Cybersecurity. To choose your ideal baseline, you can use one of several options, including
    • SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality;
    • NIST Critical Infrastructure Cybersecurity Framework; or
    • ISO 27001/27002, among others.

It doesn’t matter which control criteria you choose to model your cybersecurity on–your assessor will examine how close or how far from the mark you are from this reference point.

 

5 Benefits of Getting a SOC for Cybersecurity Report

If you're still unclear about whether or not you really need a SOC for Cybersecurity examination, let’s not beat around the bush–you do. What solid cybersecurity really requires is constant vigilance, but having an independent expert come in and specifically assess what you’re doing in this area can provide you with:

  • Independent Validation of Your Diligence Regarding Cybersecurity: Customers, partners, investors, and internal stakeholders don’t just have to take your word for it and a SOC for Cybersecurity examination would build trust with them.
  • Enhanced Security:  Implementing the controls required for SOC for Cybersecurity can enhance your organization's security posture, making it more resilient to potential cyber threats.
  • An Advantage Over Your Competition: SOC for Cybersecurity is still a relatively new examination–how many of your rivals will be able to hand a report specifically affirming their cybersecurity practices? These reports are for general use, so you can distribute them at your discretion with no restrictions.
  • A Better Position Against Data Breaches: A SOC for Cybersecurity report doesn’t just affirm to those outside your organization that you’re doing all the right things. By asking you to describe everything we noted above, it can also help everyone within your organization understand what you’re doing.

Leaving that aside, here’s another take.

More and more, there’s reliance on third parties within the digital supply chain, and SOC for Cybersecurity can help you get a higher level of assurance that your vendors’ cybersecurity risk posture is in alignment with your expectations.

What’s that? “Leverage it from a vendor?”

That’s right–if you still aren’t convinced this framework is necessary for you, perhaps you should instead request one from your business partners and vendors. You can do that now, thanks to that aforementioned redefinition of SOC.

SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates–that means your suppliers that may have escaped any compliance obligations before could be on the hook if you’d like them to be.

SOC for Cybersecurity FAQs

Who needs a SOC for Cybersecurity Report?

Any organization!  Regardless if you're a provider of goods or services, profit or non-profit,  if your organization handles sensitive information, you can benefit from a SOC for Cybersecurity report.

How Often Should You Get a SOC for Cybersecurity Report?

The frequency of any SOC examination depends on various factors, including the size of your organization, the complexity of your systems and processes, and regulatory requirements. That being said, it's recommended you conduct your chosen SOC examinations at least once a year.

Can a SOC for Cybersecurity Report be Used as Evidence of Compliance with Regulatory Requirements?

Yes, when properly planned and constructed, SOC for Cybersecurity reports can be used as evidence of compliance with regulatory requirements such as HIPAA and PCI DSS.  To ensure this, engage a skilled auditor who will consider and include those necessary components in the scope of your SOC for Cybersecurity report.

How Much Does a SOC for Cybersecurity Audit Cost?

The cost of obtaining a SOC for Cybersecurity report varies depending on various factors, including the size of the organization, the complexity of its systems and processes, and the type of report.

Moving Forward with Your SOC for Cybersecurity Examination

We’re all feeling it–the situation with cyber threats is more precarious now than perhaps ever. We’re all perpetually worried about attacks capable of disrupting our business operations and upsetting our customers. But SOC for Cybersecurity represents a workable solution to that anxiety–if the first rule in any fight is to protect yourself at all times, this new examination can help you do that.

Amidst a sea of compliance management initiatives that are available for your pursuit, this one is still pretty new. And while it may seem highly specialized, now you know how it can both your own organization directly and your chain of vendors.

As you weigh your options, you may still have some questions about this particular examination or others. We’re happy to speak with you to answer those and alleviate any other concerns you may have regarding this brand of compliance.

If you’d like to instead continue your research, read our articles to better understand the entire spectrum of SOC services that stand to benefit you. Their information will help you find the right fit for your organization and help set conditions for your eventual talks with your service auditor:

About JORDAN HICKS

Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.