Certified Cloud Security Professional (CCSP) — Question 372

Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance.
Which type of audit reports can be used for general public trust assurances?

Answer options

• A. SOC 2
• B. SAS-70
• C. SOC 3
• D. SOC 1

Correct answer: C

Explanation

SOC 3 reports are specifically designed for public distribution and provide a summary of the auditor's opinion on the controls in place, thereby enhancing public trust. In contrast, SOC 2 reports contain more detailed information and are not typically shared publicly, while SAS-70 has been replaced by SOC reports and is no longer used for this purpose. SOC 1 focuses on internal controls related to financial reporting, which does not directly address public trust.