CompTIA Security+ (SY0-601) — Question 539

A hosting provider needs to prove that its security controls have been in place over the last six months and have sufficiently protected customer data. Which of the following would provide the best proof that the hosting provider has met the requirements?

Answer options

• A. NIST CSF
• B. SOC 2 Type 2 report
• C. CIS Top 20 compliance reports
• D. Vulnerability report

Correct answer: B

Explanation

The SOC 2 Type 2 report is specifically designed to assess the effectiveness of an organization's controls over a specified period, making it the most suitable proof for the hosting provider's claims. In contrast, the NIST CSF is a framework, the CIS Top 20 compliance reports focus on best practices rather than specific control effectiveness, and vulnerability reports only identify security weaknesses without demonstrating control efficacy.