Certificate of Cloud Auditing Knowledge (CCAK) — Question 211

An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?

Answer options

• A. SOC2 Type 2 report
• B. ISAE 3402 report
• C. SOC1 Type 1 report
• D. ISO/IEC 27001 certification

Correct answer: A

Explanation

The SOC2 Type 2 report is specifically designed to evaluate the operating effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time, making it the best choice. The ISAE 3402 report focuses more on internal controls over financial reporting, while the SOC1 Type 1 report assesses controls at a specific point in time and does not address privacy or confidentiality comprehensively. ISO/IEC 27001 certification demonstrates an organization's commitment to information security management but does not provide the same level of detail regarding operational effectiveness as the SOC2 Type 2 report.