TABLE OF CONTENTS

1   Introduction and Background

Introduction

Potential Users of Cybersecurity Information and Their Interests

Cybersecurity Risk Management Examination

Difference Between Cybersecurity and Information Security

Description of the Entity’s Cybersecurity Risk Management Program

The Entity’s Cybersecurity Objectives

Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program

Overview of the Cybersecurity Risk Management Examination

Other Information About the Cybersecurity Risk Management Examination

Time Frame of Examination

Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements

Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management Program

Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination)

Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy

SOC 2 Engagements

Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement

Engagements Under the AICPA Consulting Standards

Professional Standards

Attestation Standards

Code of Professional Conduct

Quality in the Cybersecurity Risk Management Examination

2   Accepting and Planning a Cybersecurity Risk Management Examination

Introduction

Understanding Management’s ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial