Vendor Centric Blog

The 4 W’s of SOC for Cybersecurity

August 2, 2018

Last April, the AICPA introduced a new tool for risk management: the SOC for Cybersecurity examination and report. Included in this was the cybersecurity risk management reporting framework, which was meant to standardize risk mitigation efforts across organizations. Although the exam is not mandatory, the main goal of the release was to enable anyone with access to private information (PI) to start taking a proactive approach to protecting it and begin incorporating cybersecurity risk management. In this blog post, we will introduce the SOC report by running through four W’s (who, what, when and why) and let you make an informative decision as to whether it is right for your organization.


Who is it meant for?


In contrast to previous releases, the SOC for Cybersecurity report is not tailored to service organizations specifically. In an effort to standardize cybersecurity frameworks across the map, the AICPA designed the new SOC report as a useful tool for any type of organization looking to exhibit its controls. In regards to its intended users, the SOC for Cybersecurity is also not as confidential as the SOC 2 report and is instead designed to be accessible by a broad audience. It is most useful for anyone attempting to ensure / prove that their organization has proper controls in place, such as the board of directors, top executives, and especially CFO’s and CRO’s. It is also largely accessible by external users looking to examine such controls, such as investors, analysts, regulators, customers, and potential creditors. 


What is it?


By definition, the SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management programs (CRMP’s). Basically, this allows organizations to better understand, and better report on, their cybersecurity controls by establishing transparency into their policies. The report consists of the following three main components:


  • Management’s Assertion - Management provides insight into the goal of the report as well as their own role in maintaining oversight of cybersecurity 

  • Practitioner's Report - Auditor expresses an opinion on management’s assertion

  • Management’s Description of the Cybersecurity Risk Management Program - Management provides a specific description of controls & risks in CRMP


When was it released?


The framework was released last April by the AICPA. However, since this report is optional, it’s never too late to adopt it within your own organization. It may also be a wise decision to begin collecting these reports from your own vendors to ensure your information is in safe hands. 


Why is it necessary? 


The past five years have witnessed a changing landscape in cybersecurity. Investing in controls to protect your company from exposure was once almost a luxury. But over a short period of time, this perspective has shifted. Data breaches have impacted some of the world’s most prominent organizations; from Target, to Yahoo, to Equifax. These breaches carry consequences - fines, lawsuits, settlement fees, damaged reputation, etc. - and these consequences are becoming more serious as regulators pass cybersecurity laws such as GDPR.

Moreover, the differences between each organization’s approach to risk management has created confusion both internally and externally. According to Verizon’s 2017 Data Breach Investigations Report, 27% of data breaches in 2017 were discovered by 3rd parties, meaning that organizations were unaware that they had been breached until another party informed them. What we found even more interesting in this report was the fact that 25% of the breaches were caused by internal attackers, by means of employee error or a vendor’s lack of risk management. In response to such incongruities and events, the AICPA established the cybersecurity framework to provide uniformity within the business world’s risk management programs. 

The time for taking an ad-hoc approach to cybersecurity is no more. Organizations are now taking a proactive approach, and the SOC for Cybersecurity framework and report is one tool assisting them with this goal. 

For more information on the SOC for Cybersecurity framework or examination, we recommend visiting the AICPA website or contacting us here.


Vendor Centric specializes in helping organizations create and mature the policies, procedures and systems they use to manage their important vendor relationships. Learn more about our Vendor Management Framework and how we can help you implement the right-size vendor management program for your organization.

Please reload

Subscribe to the

Vendor Centric 


Subscribe to the

Vendor Centric 




Rethinking Vendors

Our flagship publication shares our philosophy on power and untapped value of vendor relationships.

The Nonprofit CFO's Guide to Virtual Credit Cards


A step-by-step guide to automating a/p payment processing and creating new streams of revenue.

Subscribe to

Our Podcast

Related Blog Posts

Please reload

Quick Links

Contact Us

9841 Washingtonian Boulevard Suite 200 Gaithersburg, Maryland 20878


(240) 813-1170

Follow Us

  • Vendor Centric Facebook
  • Vendor Centric Twitter
  • Vendor Centric LinkedIn

Subscribe to our newsletter

Subscribe to our

Rethinking Vendors Podcast

Vendor Centric Podcast

Copyright © 2018 Vendor Centric. All rights reserved.