Certified Information Systems Security Professional (CISSP) — Question 411

Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?

Answer options

• A. Service Organization Control (SOC) 2
• B. Statement on Standards for Attestation Engagements (SSAE) 18
• C. Statement on Auditing Standards (SAS) 70
• D. Service Organization Control (SOC) 1

Correct answer: A

Explanation

The correct answer is A, Service Organization Control (SOC) 2, as it specifically addresses the criteria for managing data based on the principles of confidentiality, integrity, and availability. The other options, while related to auditing and standards, do not provide the same level of focus on these specific attributes of information systems.