Certified Cloud Security Professional (CCSP) — Question 40

Which type of audit report is considered a "restricted use" report for its intended audience?

Answer options

Correct answer: D

Explanation

The correct answer is D, SOC Type 2, as this report is designed for a limited audience and contains sensitive information about the controls in place. In contrast, SAS-70 and SSAE-16 are older standards and do not have the same restricted use classification, while SOC Type 1 reports focus on the design of controls rather than their operational effectiveness over time.