Certified Information Systems Security Professional (CISSP) — Question 224

The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization Control (SOC) report be created to outline the security and availability of a particular system over a 12-month period. Which type of SOC report should be utilized?

Answer options

• A. SOC 1 Type 1
• B. SOC 1 Type 2
• C. SOC 2 Type 2
• D. SOC 3 Type 1

Correct answer: C

Explanation

The correct answer is SOC 2 Type 2, as it specifically evaluates the controls related to security and availability over a specified period, in this case, 12 months. SOC 1 reports focus on financial reporting controls, while SOC 3 is more of a summary report and does not provide the same level of detail as SOC 2 Type 2.