CISSP Question #1183: Real Exam Question with Answer & Explanation

Question

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

Options

• ASOC 1 Type 1
• BSOC 2 Type 1
• CSOC 2 Type 2
• DSOC 3

Explanation

SOC 2 Type 2 is the most rigorous and relevant certification for evaluating a vendor's controls over data handling and processing, covering both design and operational effectiveness over time.

Common mistakes.

• A. SOC 1 Type 1 focuses on controls relevant to financial reporting (ICFR) at a single point in time, making it irrelevant for evaluating general data handling and processing security controls.
• B. SOC 2 Type 1 covers the correct Trust Service Criteria for data handling but only evaluates whether controls are suitably designed at a single point in time, providing no assurance that those controls operate effectively over a sustained period.
• D. SOC 3 is a publicly available summary report based on SOC 2 criteria but lacks the detailed control descriptions and auditor testing results needed to thoroughly evaluate a vendor's data handling practices, making it insufficient for vendor due diligence.

Concept tested. SOC report types and vendor data handling assurance

Reference. https://www.aicpa.org/resources/article/soc-2-reporting-on-an-examination-of-controls-at-a-service-organization-relevant-to-security-availability-processing-integrity-confidentiality-or-privacy

No community discussion yet for this question.