SOC 2 Services

Fixed Fees. Over 1,000 Reports Issued. Online Audit Tools.

Get A Fixed Fee Quote Today Request a Free Quote

NDNB is one of North America’s leading providers of SOC 2 compliance reporting, and we now offer comprehensive SOC 2 for cybersecurity reporting in accordance with the American Institute of Certified Public Accountants (AICPA) cybersecurity and risk management guidelines.

What is SOC for Cybersecurity? Introduction and Overview

SOC for cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. The AICPA Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, provides guidance for practitioners engaged to examine and report on an entity’s cybersecurity risk management program.

Therefore, with such an engagement, NDNB provides an opinion on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. NDNB can thus perform a cybersecurity risk management examination resulting in the issuance of a general use cybersecurity report designed to meet the needs of wide-range of intended users.

3 Essential Components of a Cybersecurity Risk Management Examination

1. Management’s description of the entity’s cybersecurity risk management program. The initial component is a narrative prepared by management containing description of the entity’s cybersecurity risk management program (description).

This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.

The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.

2. Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. Please note that the AICPA has essentially developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.

3. Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Fixed-Fees. Superior Service. Nationwide Coverage

Turn to NDNB for SOC reporting for cybersecurity. Contact Chris Nickell today at NDNB at 1-800-277-5415, ext. 706, or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about our SOC 2 – and other audit services – for your organization.

Since 2006, NDNB has been setting the standard for security & compliance regulations

Free Sample Toolkit

Download A FREE SOC Audit Toolkit

Get My Toolkit