Certified Information Systems Security Professional (CISSP) — Question 378

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

Answer options

• A. SOC 1 Type 1
• B. SOC 2 Type 1
• C. SOC 2 Type 2
• D. SOC 3

Correct answer: C

Explanation

SOC 2 Type 2 is the most suitable certification as it evaluates the effectiveness of a vendor's controls over a specified period, ensuring ongoing compliance with data handling standards. SOC 1 Type 1 focuses on financial controls rather than data security, SOC 2 Type 1 assesses controls at a point in time, and SOC 3 provides a summary report that lacks the detailed information required for thorough risk assessment.