CISSP · Question #482
Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular sy
The correct answer is D. SOC 2 Type 2. SOC 2 Type 2 reports cover security, availability, processing integrity, confidentiality, and privacy Trust Service Criteria over a defined period of time, making it the appropriate choice when both the subject matter (security/availability) and a time-period review are required.
Question
Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?
Options
- ASOC 1 Type 1
- BSOC 1 Type 2
- CSOC 2 Type 1
- DSOC 2 Type 2
How the community answered
(25 responses)- A8% (2)
- C4% (1)
- D88% (22)
Why each option
SOC 2 Type 2 reports cover security, availability, processing integrity, confidentiality, and privacy Trust Service Criteria over a defined period of time, making it the appropriate choice when both the subject matter (security/availability) and a time-period review are required.
SOC 1 Type 1 assesses controls relevant to financial reporting at a single point in time, not over a period, and does not address security or availability Trust Service Criteria.
SOC 1 Type 2 covers financial reporting controls over a period of time, but it is scoped to internal controls over financial reporting (ICFR), not security or availability.
SOC 2 Type 1 does address security and availability Trust Service Criteria, but it only reflects the design of controls at a single point in time rather than their operating effectiveness over a period.
SOC 2 Type 2 evaluates controls relevant to the Trust Service Criteria (including security and availability) over a specified period of time, typically 6-12 months, providing evidence that controls were operating effectively throughout that period. This distinguishes it from a Type 1 report (point-in-time) and from SOC 1 (which focuses on financial reporting controls). It is the standard report requested when ongoing operational effectiveness for security and availability must be demonstrated.
Concept tested: SOC report types and Trust Service Criteria scope
Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
Topics
Community Discussion
No community discussion yet for this question.