nerdexam
ExamsCISSPQuestions#1262
(ISC)2(ISC)2

CISSP · Question #1262

CISSP Question #1262: Real Exam Question with Answer & Explanation

The correct answer is B: Service Organization Control (SOC) 2. A SOC 2 report provides information about the design and the operating effectiveness of the controls at a service organization relevant to the confidentiality, integrity, and availability of the IS and the data that are used for providing the services or the solutions to the user

Submitted by javi_es· Mar 5, 2026Security Assessment and Testing

Question

Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?

Options

  • AStatement on Auditing Standards (SAS) 70
  • BService Organization Control (SOC) 2
  • CService Organization Control (SOC) 1
  • DStatement on Standards for Attestation Engagements (SSAE) 18

Explanation

A SOC 2 report provides information about the design and the operating effectiveness of the controls at a service organization relevant to the confidentiality, integrity, and availability of the IS and the data that are used for providing the services or the solutions to the user entities or the customers. A SOC 2 report is based on the Trust Services Criteria (TSC), which are the standards and the guidelines for evaluating and reporting the security controls of the service organization. A SOC 2 report can help an organization to understand a vendor's IS in relation to confidentiality, integrity, and availability, Evaluating and assessing the vendor's IS and the controls against the TSC, such as the security, the availability, the processing integrity, the confidentiality, or the privacy, and determining whether they are suitably designed and operating effectively to ensure the protection and the reliability of the IS and the data. Providing and presenting the information and the data about the vendor's IS and the controls in the form of the audit report or the opinion that is prepared and issued by the independent auditor or the practitioner, and that is intended for the general or the restricted use of the organization and the other interested or relevant parties or stakeholders. Comparing and benchmarking the vendor's IS and the controls with the industry standards and the best practices, and with the expectations and the requirements of the organization and the other interested or relevant parties or stakeholders, and identifying and addressing the gaps or the issues that may exist or arise in the vendor's IS and the controls.

Topics

#security audit standards#SOC 2#Trust Services Criteria#vendor assessment

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CISSP PracticeBrowse All CISSP Questions