Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide
When you're examining a cybersecurity risk management program and its controls, look to this authoritative guide for interpretive guidance. Includes a framework for providing stakeholders with useful, credible information about the effectiveness of an entity's cybersecurity efforts.

If you are purchasing a product in one of the following formats, please check the system requirements below:

Online Professional Library
The AICPA Online Professional Library will operate in a variety of configurations, but only the configuration described below is supported by our technicians:

  • Windows 7+ (Latest Microsoft Edge, Internet Explorer, Firefox or Chrome)

eBooks through VitalSource®

Operating Systems:

  • Windows 7/8/8.1/10 (32/64 bit)
  • Mac (OS X 10.9 or later)


  • Chrome (stable channel)
  • Firefox (release channel)
  • Safari 9+
  • Internet Explorer 11+
  • Microsoft Edge
  • Mobile Safari 9+
  • Chrome for Android (stable channel)


  • iPhone (iOS 10 or later)
  • iPad (iOS 10 or later)
  • Android Smartphone 5.0 or later
  • Android Tablet (Android OS 5.0 or later)
  • Kindle Fire (OS 5 or later)

VitalSource supports the current browser version.

Other Software Needs
To access your Interactive eBook on your tablet, desktop or mobile device, download the appropriate VitalSource Bookshelf app. Downloading this product will require an account with the third-party vendor and your data will be treated according to the vendor’s terms and conditions.


  • eBooks are intended for a single user only.
  • eBooks are accessible immediately after completing your purchase. Access to the link on the AICPA Store expires one year from the purchase date. You must create a VitalSource account before this time elapses in order to have continued access.
  • This product is refundable within 14 days of your purchase date if no more than 20% of the content was accessed.

Read our eBook Tutorial and see our FAQ for more information.


  • Adobe® Acrobat® Reader 8 or higher
Product details

The stakes have never been higher in cybersecurity.

Who Will Benefit?

  • CPAs looking to support clients' cybersecurity efforts – from readiness engagements performed under the consulting standards, to the new cybersecurity risk management examination

Key Topics

  • Interpretive guidance on performing and reporting on the new cybersecurity risk management examination
  • The description criteria issued in April 2017 by the AICPA's Assurance Services Executive Committee (ASEC) , which may be used to evaluate the description of the entity's cybersecurity risk management program
  • The 2017 trust services criteria issued in April 2017 by ASEC, which may be used to evaluate the effectiveness of controls
  • Illustrative cybersecurity risk management reports, including an example organization's cybersecurity risk management program and a practitioner's report

That's why your stakeholders are depending on you to deliver an airtight examination of risk management measures.

Our cybersecurity risk management reporting framework enables you to do this work, for companies of all sizes – in industries around the world.

A dynamic, proactive and agile approach to cybersecurity risk management

This authoritative guide shows you how to implement this framework, when an organization seeks your opinion.

The guide includes two distinct but complementary sets of criteria that you can use in the examination.

Description criteria: Use this approach to describe a company's cybersecurity risk management program and inform users about the processes and controls implemented to mitigate cybersecurity risks.

The description criteria enable consistency and efficiency when communicating the extent and effectiveness of the cybersecurity risk management controls in place.

CPAs may use these same criteria to evaluate the management's description.

Control criteria: Use the 2017 Trust Services Criteria as the control in evaluating the effectiveness of a company's cybersecurity program.

CPAs may also use the criteria to evaluate the effectiveness of the controls within a client's program in the cybersecurity examination or when providing cybersecurity advisory services.

The cybersecurity risk management examination is part of the AICPA's suite of System and Organization Controls – or SOC – service offerings.

Ratings and reviews

American Institute of CPAs

The American Institute of CPAs (AICPA) is the world’s largest member association representing the CPA profession, with more than 418,000 members in 143 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting.

The AICPA sets ethical standards for the profession and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, and offers specialized credentials for qualified professionals who concentrate on personal financial planning; forensic accounting; business valuation; and information management and technology assurance. With The Chartered Institute of Management Accountants (CIMA), it offers the Chartered Global Management Accountant (CGMA) designation, which sets the global benchmark for quality and recognition in management accounting.

The AICPA and CIMA also make up the Association of International Certified Professional Accountants (the Association), which represents public and management accounting globally, advocating on behalf the public interest and advancing the quality, competency and employability of CPAs, CGMAs and other accounting and finance professionals worldwide.

The AICPA maintains offices in New York, Washington, DC, Durham, NC, and Ewing, NJ.

Member Quantity:
Nonmember Quantity:
Estimated total:
Add to cart
Contact a representative for group pricing.
Telephone: 800.634.6780 (Option 1)
Contact us online
Back to Top