nerdexam
(ISC)2

CISSP · Question #482

Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular sy

The correct answer is D. SOC 2 Type 2. SOC 2 Type 2 reports cover security, availability, processing integrity, confidentiality, and privacy Trust Service Criteria over a defined period of time, making it the appropriate choice when both the subject matter (security/availability) and a time-period review are required.

Submitted by alyssa_d· Mar 5, 2026Security Assessment and Testing

Question

Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?

Options

  • ASOC 1 Type 1
  • BSOC 1 Type 2
  • CSOC 2 Type 1
  • DSOC 2 Type 2

How the community answered

(25 responses)
  • A
    8% (2)
  • C
    4% (1)
  • D
    88% (22)

Why each option

SOC 2 Type 2 reports cover security, availability, processing integrity, confidentiality, and privacy Trust Service Criteria over a defined period of time, making it the appropriate choice when both the subject matter (security/availability) and a time-period review are required.

ASOC 1 Type 1

SOC 1 Type 1 assesses controls relevant to financial reporting at a single point in time, not over a period, and does not address security or availability Trust Service Criteria.

BSOC 1 Type 2

SOC 1 Type 2 covers financial reporting controls over a period of time, but it is scoped to internal controls over financial reporting (ICFR), not security or availability.

CSOC 2 Type 1

SOC 2 Type 1 does address security and availability Trust Service Criteria, but it only reflects the design of controls at a single point in time rather than their operating effectiveness over a period.

DSOC 2 Type 2Correct

SOC 2 Type 2 evaluates controls relevant to the Trust Service Criteria (including security and availability) over a specified period of time, typically 6-12 months, providing evidence that controls were operating effectively throughout that period. This distinguishes it from a Type 1 report (point-in-time) and from SOC 1 (which focuses on financial reporting controls). It is the standard report requested when ongoing operational effectiveness for security and availability must be demonstrated.

Concept tested: SOC report types and Trust Service Criteria scope

Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services

Topics

#SOC 2 report#Type 2 audit#Compliance#Third-party assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice