Certified Information Systems Security Professional (CISSP) — Question 101

When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?

Answer options

• A. Service Organization Control (SOC) 1, Type 2
• B. Service Organization Control (SOC) 2, Type 2
• C. International Organization for Standardization (ISO) 27001
• D. International Organization for Standardization (ISO) 27002

Correct answer: B

Explanation

The correct answer is B, as the Service Organization Control (SOC) 2, Type 2 report specifically evaluates the controls related to security, availability, confidentiality, and privacy in service organizations. Option A focuses on financial reporting controls, while options C and D pertain to broader management standards rather than specific operational effectiveness in trust principles.