1. Management's Description: This description is of the vendor's cybersecurity risk management program and is designed to provide information about how the vendor:
- Identifies its information assets .
- The ways in which the entity manages the cybersecurity risks that threaten it.
- The key security policies and processes implemented and operated to protect the entity’s information assets against those risks.
2.Management's Assertion: This may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether:
- The description is presented in accordance with the description criteria.
- The controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
- The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives. Organizations may also choose a different risk management framework to use as their control criteria.
3. CPA's Opinion
The section contains an opinion
that addresses whether:
- The description is presented in accordance with the description criteria.
- The controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria
VISTA InfoSec Information Security Specialists are senior-level experts, holding certifications such as CISSP, CISA, and CRISC to help you maintain SOC 2 Audit compliance In Malaysia.
.png)
No comments:
Post a Comment