nerdexam
(ISC)2

CISSP · Question #1183

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

The correct answer is C. SOC 2 Type 2. SOC 2 Type 2 is the most rigorous and relevant certification for evaluating a vendor's controls over data handling and processing, covering both design and operational effectiveness over time.

Submitted by krish.m· Mar 5, 2026Security and Risk Management

Question

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

Options

  • ASOC 1 Type 1
  • BSOC 2 Type 1
  • CSOC 2 Type 2
  • DSOC 3

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    94% (29)

Why each option

SOC 2 Type 2 is the most rigorous and relevant certification for evaluating a vendor's controls over data handling and processing, covering both design and operational effectiveness over time.

ASOC 1 Type 1

SOC 1 Type 1 focuses on controls relevant to financial reporting (ICFR) at a single point in time, making it irrelevant for evaluating general data handling and processing security controls.

BSOC 2 Type 1

SOC 2 Type 1 covers the correct Trust Service Criteria for data handling but only evaluates whether controls are suitably designed at a single point in time, providing no assurance that those controls operate effectively over a sustained period.

CSOC 2 Type 2Correct

SOC 2 Type 2 evaluates controls specifically related to security, availability, processing integrity, confidentiality, and privacy - the Trust Service Criteria directly relevant to data handling. Unlike Type 1, Type 2 assesses whether those controls operated effectively over a defined period (typically 6–12 months), providing much stronger assurance that the vendor consistently protects company data rather than just having controls in place at a single point in time.

DSOC 3

SOC 3 is a publicly available summary report based on SOC 2 criteria but lacks the detailed control descriptions and auditor testing results needed to thoroughly evaluate a vendor's data handling practices, making it insufficient for vendor due diligence.

Concept tested: SOC report types and vendor data handling assurance

Source: https://www.aicpa.org/resources/article/soc-2-reporting-on-an-examination-of-controls-at-a-service-organization-relevant-to-security-availability-processing-integrity-confidentiality-or-privacy

Topics

#SOC reports#vendor management#compliance#third-party risk

Community Discussion

No community discussion yet for this question.

Full CISSP Practice