When you're examining a cybersecurity risk management program and its controls, look to this authoritative guide for interpretive guidance. Includes a framework for providing stakeholders with useful, credible information about the effectiveness of an entity's cybersecurity efforts.
That's why your stakeholders are depending on you to deliver an airtight examination of risk management measures.
Our cybersecurity risk management reporting framework enables you to do this work, for companies of all sizes – in industries around the world.
This authoritative guide shows you how to implement this framework, when an organization seeks your opinion.
The guide includes two distinct but complementary sets of criteria that you can use in the examination.
Description criteria: Use this approach to describe a company's cybersecurity risk management program and inform users about the processes and controls implemented to mitigate cybersecurity risks.
The description criteria enable consistency and efficiency when communicating the extent and effectiveness of the cybersecurity risk management controls in place.
CPAs may use these same criteria to evaluate the management's description.
Control criteria: Use the 2017 Trust Services Criteria as the control in evaluating the effectiveness of a company's cybersecurity program.
CPAs may also use the criteria to evaluate the effectiveness of the controls within a client's program in the cybersecurity examination or when providing cybersecurity advisory services.
The cybersecurity risk management examination is part of the AICPA's suite of System and Organization Controls – or SOC – service offerings.
Group ordering for your team