CISSP · Question #875
CISSP Question #875: Real Exam Question with Answer & Explanation
The correct answer is B: Service Organization Control (SOC) 2. When evaluating an Identity as a Service (IDaaS) solution, a Service Organization Control (SOC) 2 report offers the most comprehensive attestation of detailed controls related to security and operational aspects.
Question
Which of the following reports provides the BEST attestation of detailed controls when evaluating an Identity as a Service (IDaaS) solution?
Options
- AService Organization Control (SOC) 1
- BService Organization Control (SOC) 2
- CService Organization Control (SOC) 3
- DStatement on Auditing Standards (SAS) 70
Explanation
When evaluating an Identity as a Service (IDaaS) solution, a Service Organization Control (SOC) 2 report offers the most comprehensive attestation of detailed controls related to security and operational aspects.
Common mistakes.
- A. SOC 1 reports primarily focus on controls relevant to a user entity's internal control over financial reporting, not the detailed security and operational controls of an IDaaS solution.
- C. SOC 3 reports are general-use reports that provide a high-level overview without the detailed control information necessary for a thorough technical evaluation of an IDaaS solution.
- D. SAS 70 is an outdated auditing standard that has been replaced by the SOC reporting framework and focused on internal controls over financial reporting, not the broader operational controls of an IDaaS.
Concept tested. Evaluating IDaaS controls using audit reports (SOC 2)
Reference. https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc-1-2-3
Topics
Community Discussion
No community discussion yet for this question.