SOC for Cybersecurity - Cybersecurity Risk Management Examination

United States (AICPA)

v2017

12 domains

40 controls

SOC for Cybersecurity, introduced by the AICPA in 2017, provides a framework for reporting on an organisation's cybersecurity risk management programme. Unlike SOC 2 (which focuses on service organisations), SOC for Cybersecurity is designed for any organisation to communicate about its cybersecurity efforts. The examination uses the AICPA Description Criteria for Management's Description and the AICPA Trust Services Criteria or other suitable criteria. General-use report suitable for boards, investors, and business partners.

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (12)

Control Criteria Detect

3 controls

Controls in the Control Criteria Detect domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
CRMC-10	Detect Continuous Monitoring	The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protect...
CRMC-11	Detect Detection Processes	Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events...
CRMC-9	Detect Anomalies and Events	Anomalous activity is detected in a timely manner and the potential impact of events is understood, with detection proce...

Control Criteria Identify

3 controls

Controls in the Control Criteria Identify domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
CRMC-1	Identify Function Asset Management	The entity maintains an inventory of hardware, software, data, and external systems used to support business operations,...
CRMC-17	Vendor Cybersecurity Risk Management	Cyber supply chain and vendor risks are identified, assessed, and managed, with contractual requirements and ongoing mon...
CRMC-2	Identify Risk Assessment and Strategy	Risk assessments are performed at planned intervals and after significant changes, and a documented risk management stra...

Control Criteria Protect

6 controls

Controls in the Control Criteria Protect domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 6 controls
Code	Title	Description
CRMC-3	Protect Identity and Access Management	Identities and credentials are managed for authorized devices, users, and processes, and access is granted based on the...
CRMC-4	Protect Awareness and Training	Personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity rel...
CRMC-5	Protect Data Security	Information is protected at rest, in transit, and in use, consistent with the entity's classification and risk decisions...
CRMC-6	Protect Information Protection Processes	Security policies, processes, and procedures are maintained and used to manage protection of information systems and ass...
CRMC-7	Protect Maintenance	Maintenance and repairs of industrial control and information system components are performed consistent with policies,...
CRMC-8	Protect Protective Technology	Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with re...

Control Criteria Recover

2 controls

Controls in the Control Criteria Recover domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 2 controls
Code	Title	Description
CRMC-15	Recover Recovery Planning	Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected...
CRMC-16	Recover Improvements	Recovery planning and processes are improved by incorporating lessons learned into future activities, updating plans and...

Control Criteria Respond

3 controls

Controls in the Control Criteria Respond domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
CRMC-12	Respond Response Planning	Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events...
CRMC-13	Respond Communications	Response activities are coordinated with internal and external stakeholders, including law enforcement, regulators, cust...
CRMC-14	Respond Mitigation	Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident, including con...

Description Criteria

7 controls

Controls in the Description Criteria domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 7 controls
Code	Title	Description
CRMP-1	Cybersecurity Risk Management Program Description	Management prepares a description of the entity wide cybersecurity risk management program covering the nature of operat...
CRMP-2	Cybersecurity Objectives	The description states the entity's cybersecurity objectives related to availability, confidentiality, and integrity of...
CRMP-3	Risk Assessment Process	The entity has a process to identify cybersecurity risks, including risks from sources external to the entity and risks...
CRMP-4	Inherent Cybersecurity Risks Identified	The description discloses the inherent cybersecurity risks identified by the entity, including risk factors arising from...
CRMP-5	Cybersecurity Controls Framework	Management identifies and discloses the cybersecurity control framework or frameworks used to design, implement, and ope...
CRMP-6	Governance Structure	The description discloses the governance structure for the cybersecurity risk management program, including roles and re...
CRMP-7	Communication of Cybersecurity Matters	The entity communicates information about cybersecurity objectives, risks, and the program to internal personnel and ext...

Description Criteria - Cybersecurity Controls

3 controls

Controls in the Description Criteria - Cybersecurity Controls domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
SOC-CY-DC7	Control Environment	Design and implementation of cybersecurity controls aligned with objectives
SOC-CY-DC8	Monitoring of Controls	Processes for monitoring and evaluating the effectiveness of cybersecurity controls
SOC-CY-DC9	Third-Party Management	Process for managing cybersecurity risks associated with third-party service providers

Description Criteria - Cybersecurity Risk Governance

3 controls

Controls in the Description Criteria - Cybersecurity Risk Governance domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
SOC-CY-DC4	Governance Structure	Board and management oversight of the cybersecurity risk management program
SOC-CY-DC5	Risk Assessment Process	Process for identifying, assessing, and managing cybersecurity risks and threats
SOC-CY-DC6	Communication and Reporting	Internal and external communication and reporting about cybersecurity matters

Description Criteria - Nature of Business and Operations

3 controls

Controls in the Description Criteria - Nature of Business and Operations domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
SOC-CY-DC1	Nature of Business and Operations	Description of the entity's business and operations relevant to its cybersecurity risk management program
SOC-CY-DC2	Nature of Sensitive Information	Types of sensitive information at risk, including PII, PHI, financial data, and intellectual property
SOC-CY-DC3	Cybersecurity Risk Management Objectives	Entity's objectives for its cybersecurity risk management program

Trust Services Criteria - Availability

2 controls

Controls in the Trust Services Criteria - Availability domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 2 controls
Code	Title	Description
SOC-CY-A1	Availability Commitments	System availability performance monitoring and commitments related to cybersecurity infrastructure
SOC-CY-A2	Disaster Recovery	Disaster recovery planning and testing for cybersecurity systems and infrastructure

Trust Services Criteria - Confidentiality

2 controls

Controls in the Trust Services Criteria - Confidentiality domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 2 controls
Code	Title	Description
SOC-CY-C1	Confidential Information Protection	Identification and protection of confidential information within the cybersecurity program
SOC-CY-C2	Encryption and Data Protection	Encryption and data protection mechanisms for data at rest and in transit

Trust Services Criteria - Security

3 controls

Controls in the Trust Services Criteria - Security domain of SOC for Cybersecurity - Cybersecurity Risk Management Examination — 3 controls
Code	Title	Description
SOC-CY-S1	Logical and Physical Access Controls	Controls to restrict logical and physical access to the cybersecurity infrastructure
SOC-CY-S2	System Operations	Controls over system operations to detect and mitigate processing deviations and security incidents
SOC-CY-S3	Change Management	Controls over changes to the cybersecurity infrastructure to prevent unauthorized modifications

Your Compliance Coverage

If you comply with SOC for Cybersecurity - Cybersecurity Risk Management Examination, you already cover:

TISAX - Trusted Information Security Assessment Exchange

28%

11 controls mapped

Compare →

SSAE 18 - Attestation Standards (SOC Reporting)

25%

10 controls mapped

Compare →

NIST SP 800-53 Rev 5

23%

9 controls mapped

Compare →

+ 284 more: Singapore Government Instruction Manual on ICT&SS Management (IM8) (23%), South Korea ISMS-P (23%)

See all 287 mapped frameworks ↓

Maps to 287 other frameworks

40 total controls

TISAX - Trusted Information Security Assessment Exchange

11 source controls mapped|14 target controls covered

28%

SSAE 18 - Attestation Standards (SOC Reporting)

10 source controls mapped|14 target controls covered

25%

NIST SP 800-53 Rev 5

9 source controls mapped|21 target controls covered

23%

Singapore Government Instruction Manual on ICT&SS Management (IM8)

9 source controls mapped|12 target controls covered

23%

South Korea ISMS-P

9 source controls mapped|10 target controls covered

23%

Protective Security Policy Framework (PSPF) Release 2024

9 source controls mapped|19 target controls covered

23%

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

8 source controls mapped|10 target controls covered

20%

UK Defence Standard 05-138 - Cyber Security for Defence Suppliers

8 source controls mapped|8 target controls covered

20%

RBI Cybersecurity Framework for Banks

8 source controls mapped|8 target controls covered

20%

Telecommunications Sector Security Reforms (TSSR)

8 source controls mapped|11 target controls covered

20%

NIST Cybersecurity Framework 2.0

8 source controls mapped|14 target controls covered

20%

ISO 27019

8 source controls mapped|9 target controls covered

20%

Annex 11 to EU GMP - Computerised Systems

8 source controls mapped|5 target controls covered

20%

IEC 62443

8 source controls mapped|9 target controls covered

20%

API 1164

8 source controls mapped|9 target controls covered

20%

NIST SP 1800-32

8 source controls mapped|9 target controls covered

20%

TSA Pipeline Security

8 source controls mapped|10 target controls covered

20%

ISO 27001:2022

7 source controls mapped|15 target controls covered

18%

FFIEC IT Examination Handbook

7 source controls mapped|10 target controls covered

18%

PCI P2PE

7 source controls mapped|10 target controls covered

18%

APRA CPS 234

7 source controls mapped|11 target controls covered

18%

PCI SSF

7 source controls mapped|11 target controls covered

18%

NIST AI Risk Management Framework (AI RMF 1.0)

7 source controls mapped|12 target controls covered

18%

PSD2 SCA

7 source controls mapped|11 target controls covered

18%

PCI PIN Security

7 source controls mapped|12 target controls covered

18%

Open Banking Security

7 source controls mapped|11 target controls covered

18%

OSFI B-13

7 source controls mapped|12 target controls covered

18%

Singapore AI Governance Framework

7 source controls mapped|7 target controls covered

18%

SWIFT CSP

7 source controls mapped|10 target controls covered

18%

UK AI Regulation Framework

7 source controls mapped|6 target controls covered

18%

SWIFT CSCF

7 source controls mapped|10 target controls covered

18%

Security of Critical Infrastructure Act 2018 (SOCI)

7 source controls mapped|9 target controls covered

18%

Azure Security Benchmark

6 source controls mapped|7 target controls covered

15%

FBI CJIS Security Policy

6 source controls mapped|5 target controls covered

15%

ISO/IEC 23894:2023

6 source controls mapped|7 target controls covered

15%

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

6 source controls mapped|8 target controls covered

15%

SASB Standards (ISSB Integrated)

6 source controls mapped|7 target controls covered

15%

SASB Standards

6 source controls mapped|7 target controls covered

15%

UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities

6 source controls mapped|4 target controls covered

15%

FFIEC Cybersecurity Assessment Tool (CAT)

6 source controls mapped|6 target controls covered

15%

SOC 2

6 source controls mapped|11 target controls covered

15%

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

6 source controls mapped|7 target controls covered

15%

APRA CPS 230 Operational Risk Management

6 source controls mapped|8 target controls covered

15%

ISO 28001:2007 Supply Chain Security Management

6 source controls mapped|3 target controls covered

15%

FTC GLBA Safeguards Rule (16 CFR Part 314)

5 source controls mapped|3 target controls covered

13%

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

5 source controls mapped|4 target controls covered

13%

Rwanda DPL

5 source controls mapped|7 target controls covered

13%

Qatar DPL

5 source controls mapped|9 target controls covered

13%

Oregon Consumer Privacy Act

5 source controls mapped|6 target controls covered

13%

Turkey KVKK

5 source controls mapped|6 target controls covered

13%

AWS Well-Architected Security Pillar

5 source controls mapped|6 target controls covered

13%

Vietnam PDPD

5 source controls mapped|9 target controls covered

13%

BSI IT-Grundschutz

5 source controls mapped|11 target controls covered

13%

Bahrain PDPL

5 source controls mapped|9 target controls covered

13%

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

5 source controls mapped|4 target controls covered

13%

Philippines DPA

5 source controls mapped|9 target controls covered

13%

NIST SP 800-190

5 source controls mapped|7 target controls covered

13%

Personal Data Act (personopplysningsloven)

5 source controls mapped|6 target controls covered

13%

PDPA Thailand

5 source controls mapped|6 target controls covered

13%

POPIA

5 source controls mapped|9 target controls covered

13%

Saudi Arabia PDPL

5 source controls mapped|7 target controls covered

13%

ISO 27017

5 source controls mapped|7 target controls covered

13%

PDPA Singapore

5 source controls mapped|9 target controls covered

13%

ISO 27018

5 source controls mapped|7 target controls covered

13%

Spain ENS

5 source controls mapped|11 target controls covered

13%

APPI

5 source controls mapped|9 target controls covered

13%

Privacy Act 2020

5 source controls mapped|7 target controls covered

13%

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

5 source controls mapped|4 target controls covered

13%

ISO 27005

5 source controls mapped|7 target controls covered

13%

ISO 20000-1

5 source controls mapped|5 target controls covered

13%

Switzerland FADP

5 source controls mapped|9 target controls covered

13%

Saudi NCA ECC

5 source controls mapped|11 target controls covered

13%

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

5 source controls mapped|5 target controls covered

13%

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

5 source controls mapped|11 target controls covered

13%

Peru DPL

5 source controls mapped|9 target controls covered

13%

Privacy Act 1988 (Australia)

5 source controls mapped|6 target controls covered

13%

UK Gambling Commission - Cyber Resilience Requirements

5 source controls mapped|7 target controls covered

13%

Texas Data Privacy Act

5 source controls mapped|8 target controls covered

13%

Uruguay DPL

5 source controls mapped|9 target controls covered

13%

Taiwan PDPA

5 source controls mapped|6 target controls covered

13%

Virginia CDPA

5 source controls mapped|9 target controls covered

13%

UK Data Protection Act 2018

5 source controls mapped|8 target controls covered

13%

Utah Consumer Privacy Act

5 source controls mapped|6 target controls covered

13%

Tennessee IPA

5 source controls mapped|6 target controls covered

13%

BS 65000:2014 - Guidance on Organizational Resilience

5 source controls mapped|3 target controls covered

13%

South Korea Cloud Security Assurance Program (CSAP)

5 source controls mapped|4 target controls covered

13%

SEC Climate Disclosure Rule

5 source controls mapped|4 target controls covered

13%

TNFD Recommendations

5 source controls mapped|5 target controls covered

13%

ISO/IEC 38500:2024 - Governance of IT

5 source controls mapped|3 target controls covered

13%

ISO 22320:2018

5 source controls mapped|4 target controls covered

13%

ICAO Annex 17 - Aviation Security (AVSEC)

5 source controls mapped|2 target controls covered

13%

EASA Part-IS - Information Security in Aviation

5 source controls mapped|8 target controls covered

13%

UK Open Banking Standard

4 source controls mapped|6 target controls covered

10%

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

4 source controls mapped|6 target controls covered

10%

Philippines Data Privacy Act (RA 10173)

4 source controls mapped|11 target controls covered

10%

Turkey Personal Data Protection Law (KVKK - Law No. 6698)

4 source controls mapped|7 target controls covered

10%

Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)

4 source controls mapped|3 target controls covered

10%

ISO/IEC 27400:2022

4 source controls mapped|7 target controls covered

10%

ASD Strategies to Mitigate Cyber Security Incidents

4 source controls mapped|8 target controls covered

10%

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

4 source controls mapped|8 target controls covered

10%

Barbados Data Protection Act 2019

4 source controls mapped|6 target controls covered

10%

ISO/IEC 27010:2015

4 source controls mapped|6 target controls covered

10%

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

4 source controls mapped|6 target controls covered

10%

Trinidad and Tobago Data Protection Act 2011

4 source controls mapped|13 target controls covered

10%

UK GDPR (UK General Data Protection Regulation)

4 source controls mapped|5 target controls covered

10%

Zambia Data Protection Act (2021)

4 source controls mapped|5 target controls covered

10%

TEFCA - Trusted Exchange Framework and Common Agreement

4 source controls mapped|4 target controls covered

10%

UK Security and Emergency Measures Direction (SEMD) - Water Industry

4 source controls mapped|8 target controls covered

10%

ITIL 4

4 source controls mapped|4 target controls covered

10%

ASIS SPC.1-2009 - Organizational Resilience Standard

4 source controls mapped|6 target controls covered

10%

AASB S2 Climate-related Disclosures

4 source controls mapped|3 target controls covered

10%

TSA Pipeline Cybersecurity Directives

4 source controls mapped|4 target controls covered

10%

IEC 62304:2015 Medical Device Software Lifecycle Processes

4 source controls mapped|5 target controls covered

10%

Own Risk and Solvency Assessment (ORSA) - NAIC Model Act

4 source controls mapped|5 target controls covered

10%

UAE Virtual Asset Regulatory Authority (VARA) Regulations

4 source controls mapped|3 target controls covered

10%

ISO 31000

4 source controls mapped|6 target controls covered

10%

AML/CTF Act 2006 (Australia)

4 source controls mapped|2 target controls covered

10%

AS9100D - Aerospace Quality Management System

4 source controls mapped|4 target controls covered

10%

ISO/IEC 27003:2017

4 source controls mapped|4 target controls covered

10%

Authorised Economic Operator (AEO) Programmes - Global Standards

4 source controls mapped|2 target controls covered

10%

APRA SPS 220 Risk Management (Superannuation)

4 source controls mapped|4 target controls covered

10%

ISO/SAE 21434

3 source controls mapped|8 target controls covered

ISO 27043

3 source controls mapped|8 target controls covered

OWASP SAMM

3 source controls mapped|7 target controls covered

ISO/IEC 27011:2024

3 source controls mapped|8 target controls covered

MARS-E - Minimum Acceptable Risk Standards for Exchanges

3 source controls mapped|2 target controls covered

OpenSSF Scorecard

3 source controls mapped|9 target controls covered

US Consumer Product Safety Commission (CPSC) - Connected Product Safety

3 source controls mapped|3 target controls covered

PTES

3 source controls mapped|8 target controls covered

OWASP ASVS

3 source controls mapped|8 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

3 source controls mapped|10 target controls covered

ISO 13485

3 source controls mapped|9 target controls covered

ISO 27799

3 source controls mapped|9 target controls covered

Saudi PDPL

3 source controls mapped|8 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|5 target controls covered

SIG (Shared Assessments)

3 source controls mapped|8 target controls covered

GDPR

3 source controls mapped|8 target controls covered

PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments

3 source controls mapped|2 target controls covered

Tennessee Information Protection Act (TIPA)

3 source controls mapped|9 target controls covered

OWASP Top 10:2025

3 source controls mapped|5 target controls covered

SLSA

3 source controls mapped|8 target controls covered

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

3 source controls mapped|6 target controls covered

OWASP MASVS

3 source controls mapped|7 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

3 source controls mapped|7 target controls covered

PropTech Security Standards - Smart Building Cybersecurity

3 source controls mapped|4 target controls covered

Pakistan Personal Data Protection Bill 2023

3 source controls mapped|5 target controls covered

IEC 62351 - Power Systems Communication Security

3 source controls mapped|4 target controls covered

Serbia Law on Personal Data Protection (2018)

3 source controls mapped|7 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

3 source controls mapped|3 target controls covered

Wisconsin Data Privacy Act (SB 670)

3 source controls mapped|8 target controls covered

Singapore Payment Services Act (PSA) - Digital Payment Token Regulation

3 source controls mapped|8 target controls covered

Tanzania Personal Data Protection Act (Draft)

3 source controls mapped|12 target controls covered

UNECE WP.29 R156

3 source controls mapped|8 target controls covered

SSDF (NIST)

3 source controls mapped|8 target controls covered

UNECE WP.29 R155

3 source controls mapped|7 target controls covered

UK Age Appropriate Design Code (Children's Code)

3 source controls mapped|6 target controls covered

UK PSTI Act

3 source controls mapped|8 target controls covered

South Africa Promotion of Access to Information Act (PAIA)

3 source controls mapped|4 target controls covered

ITU-T X.805 - Security Architecture for End-to-End Communications

3 source controls mapped|3 target controls covered

US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements

3 source controls mapped|6 target controls covered

ISO/IEC 27031:2011

3 source controls mapped|7 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

3 source controls mapped|4 target controls covered

US NRC 10 CFR 73.54 - Cyber Security for Nuclear Power Plants

3 source controls mapped|3 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

3 source controls mapped|6 target controls covered

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

3 source controls mapped|6 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

3 source controls mapped|5 target controls covered

AICPA Privacy Management Framework (PMF)

3 source controls mapped|5 target controls covered

SEC Cybersecurity Disclosure Rules

3 source controls mapped|2 target controls covered

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|2 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

3 source controls mapped|3 target controls covered

ISO 37000:2021 - Governance of Organizations

3 source controls mapped|2 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

3 source controls mapped|1 target controls covered

Solvency II

3 source controls mapped|3 target controls covered

Aged Care Quality Standards (Australia)

3 source controls mapped|1 target controls covered

ISO 20400:2017 - Sustainable Procurement

3 source controls mapped|1 target controls covered

Singapore Model AI Governance Framework (2nd Edition)

3 source controls mapped|1 target controls covered

Florida Digital Bill of Rights (FDBR)

2 source controls mapped|2 target controls covered

Sigstore - Software Artifact Signing and Verification

2 source controls mapped|6 target controls covered

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

2 source controls mapped|4 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

2 source controls mapped|5 target controls covered

Azerbaijan Law on Personal Data (2010)

2 source controls mapped|4 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

2 source controls mapped|3 target controls covered

ISO 19011

2 source controls mapped|3 target controls covered

Peru Personal Data Protection Law (Law No. 29733)

2 source controls mapped|6 target controls covered

Panama Law on Personal Data Protection (Law No. 81 of 2019)

2 source controls mapped|4 target controls covered

Portugal Law No. 58/2019 - Data Protection Implementation Act

2 source controls mapped|8 target controls covered

Uruguay Personal Data Protection Act (Law No. 18.331)

2 source controls mapped|6 target controls covered

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)

2 source controls mapped|2 target controls covered

Paraguay Law on Protection of Personal Data (Law No. 6534/2020)

2 source controls mapped|4 target controls covered

Senegal Law on Personal Data Protection (Law No. 2008-12)

2 source controls mapped|7 target controls covered

Tunisia Organic Law on Personal Data Protection (Law No. 2004-63)

2 source controls mapped|6 target controls covered

Poland Act on Personal Data Protection (Ustawa o ochronie danych osobowych, 2018)

2 source controls mapped|4 target controls covered

RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)

2 source controls mapped|4 target controls covered

Uzbekistan Law on Personal Data (No. ZRU-547)

2 source controls mapped|4 target controls covered

Russia Federal Law on Personal Data (152-FZ)

2 source controls mapped|3 target controls covered

OWASP API Security Top 10 - 2023

2 source controls mapped|2 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

2 source controls mapped|4 target controls covered

Tonga Communications Act (2015) - Privacy & Data Protection

2 source controls mapped|2 target controls covered

Zimbabwe Data Protection Act (2021)

2 source controls mapped|3 target controls covered

US Executive Order 14028 - Improving the Nation's Cybersecurity

2 source controls mapped|2 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

2 source controls mapped|4 target controls covered

US ITAR and EAR - Export Control and Data Security

2 source controls mapped|3 target controls covered

UNESCO Recommendation on the Ethics of AI

2 source controls mapped|3 target controls covered

Sweden Data Protection Act (Dataskyddslag, 2018:218)

2 source controls mapped|3 target controls covered

Student Privacy Pledge 2020

2 source controls mapped|4 target controls covered

Uganda Data Protection and Privacy Act (2019)

2 source controls mapped|5 target controls covered

Romania Law No. 190/2018 on Data Protection Measures (GDPR Implementation)

2 source controls mapped|4 target controls covered

Proposal for a Directive on improving working conditions in platform work (COM(2023) 491)

2 source controls mapped|4 target controls covered

UK FCA/PRA Operational Resilience Framework

2 source controls mapped|4 target controls covered

ISO 41001:2018 - Facility Management Systems

2 source controls mapped|4 target controls covered

ISO 39001:2012 - Road Traffic Safety Management

2 source controls mapped|4 target controls covered

ISO 50001:2018 - Energy Management Systems

2 source controls mapped|4 target controls covered

ISO 22313:2020 - Guidance on Business Continuity Management Systems

2 source controls mapped|4 target controls covered

Washington My Health My Data Act (MHMD)

2 source controls mapped|4 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

2 source controls mapped|5 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

2 source controls mapped|2 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

2 source controls mapped|4 target controls covered

Canada ITSG-33 - IT Security Risk Management

2 source controls mapped|1 target controls covered

UK Telecommunications (Security) Act 2021

2 source controls mapped|3 target controls covered

Singapore Cybersecurity Act 2018

2 source controls mapped|2 target controls covered

COSO Internal Control - Integrated Framework (2013)

2 source controls mapped|2 target controls covered

US Gramm-Leach-Bliley Act (GLBA) - Higher Education Safeguards Rule

2 source controls mapped|4 target controls covered

ISO/IEC 29147:2018

2 source controls mapped|2 target controls covered

ISO/IEC 29134:2023

2 source controls mapped|3 target controls covered

ISO/IEC 27014:2020

2 source controls mapped|2 target controls covered

Union Customs Code (UCC) - Regulation (EU) No 952/2013

2 source controls mapped|4 target controls covered

NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)

1 source controls mapped|1 target controls covered

South Korea Korea Internet Self-Governance Organisation (KISO) Code of Ethics

1 source controls mapped|1 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|1 target controls covered

ISO 31000:2018

1 source controls mapped|2 target controls covered

Nebraska Data Privacy Act

1 source controls mapped|2 target controls covered

NSA Guidance for Transition to Quantum-Resistant Cryptography

1 source controls mapped|3 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

1 source controls mapped|1 target controls covered

Secure by Design: A Guide for Manufacturers (CISA)

1 source controls mapped|2 target controls covered

ISO 26000:2010

1 source controls mapped|1 target controls covered

3GPP 5G Security Architecture (TS 33.501)

1 source controls mapped|2 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

1 source controls mapped|1 target controls covered

COBIT 2019

1 source controls mapped|1 target controls covered

ISO/IEC 27007:2020

1 source controls mapped|1 target controls covered

WELL Building Standard v2 (International WELL Building Institute)

1 source controls mapped|1 target controls covered

ISO/IEC 25012:2008 - Data Quality Model

1 source controls mapped|1 target controls covered

Right to Disconnect (Australia)

1 source controls mapped|1 target controls covered

ISO 22318

1 source controls mapped|5 target controls covered

ISO 22317

1 source controls mapped|5 target controls covered

ISO 56002

1 source controls mapped|3 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

1 source controls mapped|3 target controls covered

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

1 source controls mapped|1 target controls covered

ISO 22316

1 source controls mapped|5 target controls covered

ISO 30401

1 source controls mapped|1 target controls covered

ISO 55001

1 source controls mapped|1 target controls covered

ISO 9001

1 source controls mapped|1 target controls covered

ISO 37001

1 source controls mapped|1 target controls covered

ISO 37301

1 source controls mapped|1 target controls covered

Space ISAC (Information Sharing and Analysis Center) - Threat Framework

1 source controls mapped|1 target controls covered

21 CFR Part 58 - Good Laboratory Practice (GLP)

1 source controls mapped|1 target controls covered

SWIFT Customer Security Programme (CSP)

1 source controls mapped|2 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

1 source controls mapped|1 target controls covered

NIST SP 800-171

1 source controls mapped|1 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

1 source controls mapped|1 target controls covered

ISO/IEC 30111:2019

1 source controls mapped|2 target controls covered

PCAOB AS 2201 - Audit of Internal Control Over Financial Reporting (ICFR)

1 source controls mapped|2 target controls covered

FedRAMP High

1 source controls mapped|1 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

1 source controls mapped|1 target controls covered

FedRAMP Moderate

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 MODERATE

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 LOW

1 source controls mapped|1 target controls covered

Responsible Minerals Initiative (RMI) - Responsible Minerals Assurance Process

1 source controls mapped|3 target controls covered

SQF Code Edition 9 - Safe Quality Food

1 source controls mapped|2 target controls covered

ISO 22000

1 source controls mapped|1 target controls covered

ISO 45001

1 source controls mapped|1 target controls covered

UK Online Safety Act 2023

1 source controls mapped|3 target controls covered

UK Modern Slavery Act 2015

1 source controls mapped|1 target controls covered

Australian Privacy Principles (APPs)

1 source controls mapped|3 target controls covered

Armenia Law on Protection of Personal Data (2015)

1 source controls mapped|3 target controls covered

Ukraine Law on Personal Data Protection (Law No. 2297-VI)

1 source controls mapped|2 target controls covered

South Korea Credit Information Act

1 source controls mapped|4 target controls covered

Singapore Payment Services Act 2019 (PSA) - Digital Payment Token Provisions

1 source controls mapped|2 target controls covered

WHO Global Strategy on Digital Health 2020-2025

1 source controls mapped|1 target controls covered

Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter

1 source controls mapped|1 target controls covered

ISO/IEC 29100:2024

1 source controls mapped|3 target controls covered

Privacy and Other Legislation Amendment Act 2024 (Australia)

1 source controls mapped|3 target controls covered

OWASP Top 10 for LLM Applications 2025

1 source controls mapped|1 target controls covered

USMCA Chapter 19 - Digital Trade (United States-Mexico-Canada Agreement)

1 source controls mapped|2 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

1 source controls mapped|1 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

1 source controls mapped|1 target controls covered

Virginia Consumer Data Protection Act (VCDPA)

1 source controls mapped|3 target controls covered

UK Construction (Design and Management) Regulations 2015 (CDM 2015)

1 source controls mapped|1 target controls covered

Compare SOC for Cybersecurity - Cybersecurity Risk Management Examination with TISAX - Trusted Information Security Assessment Exchange

Frequently Asked Questions

What is SOC for Cybersecurity - Cybersecurity Risk Management Examination?

SOC for Cybersecurity - Cybersecurity Risk Management Examination is a compliance framework from United States (AICPA) with 12 domains and 40 controls. SOC for Cybersecurity, introduced by the AICPA in 2017, provides a framework for reporting on an organisation's cybersecurity risk management programme. Unlike SOC 2 (which focuses on service organisations), SOC for Cybersecurity is designed for any organisation to communicate about its cybersecurity efforts. The examination uses the AICPA Description Criteria for Management's Description and the AICPA Trust Services Criteria or other suitable criteria. General-use report suitable for boards, investors, and business partners. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does SOC for Cybersecurity - Cybersecurity Risk Management Examination have?

SOC for Cybersecurity - Cybersecurity Risk Management Examination has 40 controls organised across 12 domains. The largest domains are Description Criteria (7 controls), Control Criteria Protect (6 controls), Control Criteria Detect (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does SOC for Cybersecurity - Cybersecurity Risk Management Examination map to?

SOC for Cybersecurity - Cybersecurity Risk Management Examination maps to 287 other compliance frameworks. The top mapping partners are TISAX - Trusted Information Security Assessment Exchange (28% coverage), SSAE 18 - Attestation Standards (SOC Reporting) (25% coverage), NIST SP 800-53 Rev 5 (23% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with SOC for Cybersecurity - Cybersecurity Risk Management Examination compliance?

Start your SOC for Cybersecurity - Cybersecurity Risk Management Examination compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about SOC for Cybersecurity - Cybersecurity Risk Management Examination requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 40 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required