Appendix C
Description Criteria for Use in the Cybersecurity Risk Management Examination
This appendix is nonauthoritative and is included for informational purposes only.
The description criteria and related implementation guidance in this appendix has been extracted from Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program issued in April 2017 by the AICPA’s Assurance Services Executive Committee. The complete text may be found at www.aicpa.org/cybersecurityriskmanagement.
NATURE OF BUSINESS AND OPERATIONS |
DC1: The nature of the entity’s business and operations, including the principal products or services the entity sells or provides and the methods by which they are distributed |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The entity’s principal markets, including the geographic locations of those markets, and changes to those markets |
• If the entity operates more than one business, the relative importance of the entity’s operations in each business and the basis for management’s determination (for example, revenues or asset values) |
NATURE OF INFORMATION AT RISK |
DC2: The principal types of sensitive information created, collected, transmitted, used, or stored by the entity |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the ... |
Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
