make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

What's the Difference Between SOC for Cybersecurity & Risk Assessments?

09/12/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Cybersecurity has become an increasingly important priority for almost every major corporation, hospital, financial institution, law firm, and retailer in today’s world. As a result, numerous risk management frameworks have been created to help ensure organizations are properly managing their cybersecurity risks. However, while understanding an entity’s compliance with regulations such as the HIPAA Security Rule and Payment Card Industry Data Security Standard (PCI DSS) has become common practice for many business leaders, the idea of proper cybersecurity risk management hasn’t been as intuitive for non-technical stakeholders, such as board members, directors, analysts, and investors.   

While implementing cybersecurity controls to meet a compliance threshold is important, attaining compliance with a regulation does not necessarily mean that an entity is sufficiently secure. In fact, “sufficient cyber security” is a subjective measure that typically depends on many factors, including an entity’s industry, the type of data it processes, as well as its financial condition. All these factors could impact the amount of cybersecurity risk that an executive team is willing to accept. The fact that the cybersecurity risk tolerance will be different for each organization makes evaluating the organization’s cybersecurity posture difficult. It’s even more difficult for business stakeholders that are not cybersecurity mavens. 

As a result, the AICPA created a comprehensive framework that can help organizations obtain and publish an independent opinion on their cybersecurity risk management program, known as SOC for Cybersecurity. This framework went into effect earlier this year and has garnered significant attention from business leaders, CPAs, and IT professionals. 

What’s the Difference between SOC for Cybersecurity & Risk Assessments? 

As the conversation around SOC for Cybersecurity has grown, many of our clients and potential partners have asked how it differs from the current risk assessment analysis process that many entities undergo on an annual basis. The primary difference is that a risk assessment is an evaluation of an organization’s exposure against a specific set of threats, whereas SOC for Cybersecurity is an independent opinion on an entity’s entire risk management program practices (which includes its risk assessment process).

A risk assessment can help an entity identify specific cybersecurity risks to the company, by focusing on the effectiveness of controls that reduce the likelihood that a specific threat will be realized. A risk assessment is not a formal opinion report—it is a prioritized list of threats and remediation actions. SOC for Cybersecurity is a comprehensive analysis that evaluates an entity’s risk assessment process and its governance activities, along with its overall cybersecurity objectives, communications, and control processes. The SOC for Cybersecurity report culminates in an assertion made by management regarding its cybersecurity risk management program practices, and an accompanying opinion, issued by a CPA firm with qualified cybersecurity experts, that lends credibility to management’s assertions.

Could Your Organization Benefit from an SOC for Cybersecurity Analysis?

Because of LBMC Information Security’s position as a leading national IT security firm, we had the opportunity to work alongside the AICPA to develop the SOC for Cybersecurity framework. While the SOC for Cybersecurity analysis is still voluntary, there have been numerous business leaders who have expressed interest in learning more about how this report can provide greater confidence to their shareholders and to the business executives who want confirmation that the time and money resources that they are committing to cybersecurity is properly addressing cybersecurity risks.

While risk assessments are a necessary part of any cybersecurity risk management program, an SOC for Cybersecurity analysis may become the “Good Housekeeping” seal of approval for many businesses seeking validation of their cybersecurity efforts.

Could your organization benefit from an SOC for Cybersecurity analysis? Connect with our team to learn more.

Posted in: Security Consulting