CISSP · Question #1274
When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality
The correct answer is B. Service Organization Control (SOC) 2, Type 2. SOC 2 Type 2 reports are specifically designed to evaluate service organizations against the Trust Services Criteria, covering security, availability, confidentiality, processing integrity, and privacy over a defined period.
Question
When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?
Options
- AService Organization Control (SOC) 1, Type 2
- BService Organization Control (SOC) 2, Type 2
- CInternational Organization for Standardization (ISO) 27001
- DInternational Organization for Standardization (ISO) 27002
How the community answered
(41 responses)- A2% (1)
- B83% (34)
- C10% (4)
- D5% (2)
Why each option
SOC 2 Type 2 reports are specifically designed to evaluate service organizations against the Trust Services Criteria, covering security, availability, confidentiality, processing integrity, and privacy over a defined period.
SOC 1 Type 2 reports focus exclusively on internal controls over financial reporting (ICFR) and are not designed to assess security, availability, confidentiality, or privacy trust principles.
SOC 2 Type 2 reports are issued by independent auditors and assess a service organization's controls against the AICPA Trust Services Criteria (TSC), which explicitly include security, availability, confidentiality, processing integrity, and privacy. The 'Type 2' designation confirms that the report covers operating effectiveness of those controls over a historical period (typically 6-12 months), not just their design, making it the ideal evidence for a third-party risk assessment of a supplier.
ISO 27001 is a certification that confirms an organization has implemented an Information Security Management System (ISMS) meeting the standard's requirements, but it does not provide detailed evidence of operating effectiveness across availability, confidentiality, and privacy trust principles in the same structured way as a SOC 2 Type 2.
ISO 27002 is a code of practice providing guidelines and best practices for information security controls, but it is not an audit report or certification and therefore cannot confirm the operating effectiveness of any controls at a supplier.
Concept tested: SOC 2 Type 2 report and Trust Services Criteria
Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
Topics
Community Discussion
No community discussion yet for this question.