CompTIA Security+ (SY0-601) — Question 648

Which of the following security program audits includes a comprehensive evaluation of the security controls in place at an organization over a six- to 12-month time period?

Answer options

• A. NIST CSF
• B. SOC 2 Type II
• C. ISO 27001
• D. PCI DSS

Correct answer: B

Explanation

The correct answer is SOC 2 Type II, as it specifically evaluates the effectiveness of security controls over a defined period. In contrast, NIST CSF is a framework, ISO 27001 is a certification for information security management systems, and PCI DSS focuses on payment card security standards rather than a comprehensive audit over time.