Cybersecurity Assurance Reporting Beyond SOC 2 Security

This chapter covers SOC for Cybersecurity as a distinct reporting framework. The key is to separate it from SOC 2 security coverage and understand how broader cybersecurity risk management is described and examined.

In This Chapter

• Key Differences Between SOC 2® for Security vs. SOC for Cybersecurity clarifies the reporting purpose and scope differences between the two frameworks.
• Description Criteria for Cybersecurity Risk Management explains how the entity’s cybersecurity program is described.
• Considerations for Complex IT Environments and Response Plans covers the practical complications of reporting in large or mixed environments.
• Communicating Cybersecurity Findings to External Stakeholders focuses on how results are presented to outside users.

How to Use This Chapter

• Read this chapter when cybersecurity assurance topics are starting to blur together.
• Focus on the subject matter and intended audience of the engagement.
• Revisit it whenever an ISC question asks whether a cybersecurity matter belongs in SOC 2 or SOC for Cybersecurity.

In this section

• How SOC 2 Security Differs from SOC for Cybersecurity
  How SOC 2 Security differs from SOC for Cybersecurity.
• Description Criteria for Cybersecurity Risk Management Programs
  Description criteria for cybersecurity risk management programs.
• Complex IT Environments, Incident Response, and SOC for Cybersecurity Scope
  Complex IT environments, incident response, and SOC for Cybersecurity scope.
• Presenting Cybersecurity Findings to External Stakeholders
  Presenting cybersecurity findings to external stakeholders.