nerdexam
(ISC)2

CISSP · Question #1020

An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to

The correct answer is B. Service Organization Control (SOC) 2. When evaluating a SaaS solution for international code security and data privacy, SOC 2 is the appropriate compliance framework as it is specifically designed to assess service organizations' controls over security, availability, processing integrity, confidentiality, and privacy

Submitted by khalil_dz· Mar 5, 2026Security and Risk Management

Question

An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to assess the international code security and data privacy of the solution?

Options

  • AHealth Insurance Portability and Accountability Act (HIPAA)
  • BService Organization Control (SOC) 2
  • CPayment Card Industry (PCI)
  • DInformation Assurance Technical Framework (IATF)

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    79% (22)
  • C
    4% (1)
  • D
    14% (4)

Why each option

When evaluating a SaaS solution for international code security and data privacy, SOC 2 is the appropriate compliance framework as it is specifically designed to assess service organizations' controls over security, availability, processing integrity, confidentiality, and privacy.

AHealth Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S.-specific regulation applicable only to healthcare organizations and their business associates that handle protected health information (PHI), making it too narrow and industry-specific for a general international SaaS assessment.

BService Organization Control (SOC) 2Correct

SOC 2 is a widely recognized international auditing standard developed by the AICPA that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy - making it directly applicable to assessing SaaS solutions. It is not industry-specific and is used globally to validate that a third-party service provider manages customer data securely and in compliance with privacy principles. Organizations evaluating SaaS vendors commonly require SOC 2 Type II reports to assess the security posture and data privacy practices of the solution.

CPayment Card Industry (PCI)

PCI DSS is a compliance standard specifically focused on organizations that process, store, or transmit payment card data, and is not a general-purpose framework for assessing international code security and data privacy of a SaaS solution.

DInformation Assurance Technical Framework (IATF)

IATF is a U.S. Department of Defense framework focused on information assurance for government and military systems, and is not applicable to evaluating commercial SaaS solutions for international business operations.

Concept tested: SaaS compliance frameworks for international data privacy

Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services

Topics

#SaaS compliance#Cloud security#Data privacy#SOC 2

Community Discussion

No community discussion yet for this question.

Full CISSP Practice