CISSP · Question #1183
When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?
The correct answer is C. SOC 2 Type 2. SOC 2 Type 2 is the most rigorous and relevant certification for evaluating a vendor's controls over data handling and processing, covering both design and operational effectiveness over time.
Question
Options
- ASOC 1 Type 1
- BSOC 2 Type 1
- CSOC 2 Type 2
- DSOC 3
How the community answered
(31 responses)- A3% (1)
- B3% (1)
- C94% (29)
Why each option
SOC 2 Type 2 is the most rigorous and relevant certification for evaluating a vendor's controls over data handling and processing, covering both design and operational effectiveness over time.
SOC 1 Type 1 focuses on controls relevant to financial reporting (ICFR) at a single point in time, making it irrelevant for evaluating general data handling and processing security controls.
SOC 2 Type 1 covers the correct Trust Service Criteria for data handling but only evaluates whether controls are suitably designed at a single point in time, providing no assurance that those controls operate effectively over a sustained period.
SOC 2 Type 2 evaluates controls specifically related to security, availability, processing integrity, confidentiality, and privacy - the Trust Service Criteria directly relevant to data handling. Unlike Type 1, Type 2 assesses whether those controls operated effectively over a defined period (typically 6–12 months), providing much stronger assurance that the vendor consistently protects company data rather than just having controls in place at a single point in time.
SOC 3 is a publicly available summary report based on SOC 2 criteria but lacks the detailed control descriptions and auditor testing results needed to thoroughly evaluate a vendor's data handling practices, making it insufficient for vendor due diligence.
Concept tested: SOC report types and vendor data handling assurance
Source: https://www.aicpa.org/resources/article/soc-2-reporting-on-an-examination-of-controls-at-a-service-organization-relevant-to-security-availability-processing-integrity-confidentiality-or-privacy
Topics
Community Discussion
No community discussion yet for this question.