Certified Cloud Security Professional (CCSP) — Question 356

Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.
Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it?

Answer options

• A. SOC Type 2, one year
• B. SOC Type 1, one year
• C. SOC Type 2, one month
• D. SOC Type 2, six months

Correct answer: D

Explanation

The correct answer is D, as a SOC Type 2 audit examines the effectiveness of controls over a minimum period of six months. Option A is incorrect because SOC Type 2 does not require a full year as a minimum, while Option B refers to SOC Type 1, which is a snapshot audit and not over time. Option C is also incorrect because SOC Type 2 requires a longer duration than one month.