nerdexam
(ISC)2

CISSP · Question #1265

The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization Control (SOC) report be created to outline the security and availability of a particular syst

The correct answer is B. SOC 2 Type 2. The type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period is SOC 2 Type 2. SOC 2 Type 2 is a security audit report that provides information about the design and the operating effectiveness of the control

Submitted by alyssa_d· Mar 5, 2026Security Assessment and Testing

Question

The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization Control (SOC) report be created to outline the security and availability of a particular system over a 12-month period. Which type of SOC report should be utilized?

Options

  • ASOC 1 Type 1
  • BSOC 2 Type 2
  • CSOC 2 Type 2
  • DSOC 3 Type 1

How the community answered

(43 responses)
  • A
    14% (6)
  • B
    79% (34)
  • C
    5% (2)
  • D
    2% (1)

Explanation

The type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period is SOC 2 Type 2. SOC 2 Type 2 is a security audit report that provides information about the design and the operating effectiveness of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 2 is the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12- month period, because it can: Evaluate and assess the design and the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data that are used for providing the services or the solutions to the user entities or the customers, based on the criteria or the principles of the Trust Services Categories (TSC). Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion that is prepared and issued by the independent auditor or the practitioner, and that is intended for the general or the restricted use of the user entities and the other interested or relevant parties or Cover a specified period of time, usually between six and twelve months, and include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the

Topics

#SOC reports#security audit#availability controls#operational effectiveness

Community Discussion

No community discussion yet for this question.

Full CISSP Practice