Certified Information Systems Security Professional (CISSP) — Question 406

A cloud hosting provider would like to provide a Service Organization Control (SOC) report relevant to its security program. This report should an abbreviated report that can be freely distributed. Which type of report BEST meets this requirement?

Answer options

• A. SOC 1
• B. SOC 2 Type 1
• C. SOC 2 Type 2
• D. SOC 3

Correct answer: D

Explanation

The SOC 3 report is designed for public distribution and provides a high-level overview of a service organization's controls related to security, making it ideal for this situation. In contrast, SOC 1, SOC 2 Type 1, and SOC 2 Type 2 reports contain more detailed information that is typically intended for specific stakeholders and are not meant for general distribution.