CISSP · Question #1020
An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to
The correct answer is B. Service Organization Control (SOC) 2. When evaluating a SaaS solution for international code security and data privacy, SOC 2 is the appropriate compliance framework as it is specifically designed to assess service organizations' controls over security, availability, processing integrity, confidentiality, and privacy
Question
Options
- AHealth Insurance Portability and Accountability Act (HIPAA)
- BService Organization Control (SOC) 2
- CPayment Card Industry (PCI)
- DInformation Assurance Technical Framework (IATF)
How the community answered
(28 responses)- A4% (1)
- B79% (22)
- C4% (1)
- D14% (4)
Why each option
When evaluating a SaaS solution for international code security and data privacy, SOC 2 is the appropriate compliance framework as it is specifically designed to assess service organizations' controls over security, availability, processing integrity, confidentiality, and privacy.
HIPAA is a U.S.-specific regulation applicable only to healthcare organizations and their business associates that handle protected health information (PHI), making it too narrow and industry-specific for a general international SaaS assessment.
SOC 2 is a widely recognized international auditing standard developed by the AICPA that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy - making it directly applicable to assessing SaaS solutions. It is not industry-specific and is used globally to validate that a third-party service provider manages customer data securely and in compliance with privacy principles. Organizations evaluating SaaS vendors commonly require SOC 2 Type II reports to assess the security posture and data privacy practices of the solution.
PCI DSS is a compliance standard specifically focused on organizations that process, store, or transmit payment card data, and is not a general-purpose framework for assessing international code security and data privacy of a SaaS solution.
IATF is a U.S. Department of Defense framework focused on information assurance for government and military systems, and is not applicable to evaluating commercial SaaS solutions for international business operations.
Concept tested: SaaS compliance frameworks for international data privacy
Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
Topics
Community Discussion
No community discussion yet for this question.