CompTIA Security+ (SY0-701) — Question 232

A hosting provider needs to prove that its security controls have been in place over the last six months and have sufficiently protected customer data. Which of the following would provide the best proof that the hosting provider has met the requirements?

Answer options

• A. NIST CSF
• B. SOC 2 Type 2 report
• C. CIS Top 20 compliance reports
• D. Vulnerability report

Correct answer: B

Explanation

The SOC 2 Type 2 report is specifically designed to assess the operational effectiveness of a service provider's security controls over a specified period, making it the most appropriate proof of compliance. In contrast, the NIST CSF is a framework rather than a verification report, CIS Top 20 compliance reports do not provide a comprehensive operational history, and vulnerability reports focus on current weaknesses rather than historical efficacy.