ISC2 CISSP Exam - Topic 5 Question 100 Discussion

The type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period is SOC 2 Type 2. SOC 2 Type 2 is a security audit report that provides information about the design and the operating effectiveness of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 2 is the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it can:

Evaluate and assess the design and the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data that are used for providing the services or the solutions to the user entities or the customers, based on the criteria or the principles of the Trust Services Categories (TSC).

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion that is prepared and issued by the independent auditor or the practitioner, and that is intended for the general or the restricted use of the user entities and the other interested or relevant parties or stakeholders.

Cover a specified period of time, usually between six and twelve months, and include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

The other options are not the types of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period. SOC 1 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the internal control over financial reporting of the user entities or the customers, based on the control objectives defined by the service organization. SOC 1 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the controls that affect the financial reporting of the user entities or the customers.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, but rather the controls in relation to the internal control over financial reporting of the user entities or the customers.

Cover a specified period of time, or include the description of the tests of controls and the results performed by the auditor, but rather evaluate the design of the controls at a point in time.

SOC 2 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

SOC 3 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 3 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion, but rather in the form of the seal or the logo that indicates the compliance with the TSC.