Exam CISSP topic 1 question 15 discussion

C is correct - sharing my notes from Prabh Nair (check out his coffee shot video) There is no type 1 or 2 for SOC 3, and it's used high-level report generally available on public domain/ website. SOC 1 & 2 has type 1 and type 2. Type 1 is the design of control while Type 2 is the effectiveness of the control. SOC 1 is good for financial/ books of account. SOC 2 talks about IT

SOC 2 Type 2

C is the most detailed one and can validate that in the previous year the vendor performs fine according to soc 2 type 1 requirements

Answer is C: When reviewing vendor certifications for handling and processing of company data, the best Service Organization Controls (SOC) certification for the vendor to possess is the SOC 2 Type II certification. This certification is the most stringent in regards to data security and privacy, and is the most highly sought after by companies. It provides assurance that the vendor has appropriate processes, procedures, and controls in place for the data that they process. It also provides assurance to customers that the vendor is upholding the standards set by the American Institute of Certified Public Accountants (AICPA). The SOC 2 Type II certification is the gold standard in regards to data security and privacy, and is the best certification a vendor can possess.

I think the answer is D (SOC3) because SOC2 reports are always for internal mgmt, not for outsiders. Here, we are the outsiders and the organization will only share SOC3 with us. SOC3 reports are always type-II.

C is my answer based on he data protection purposes of SOC 2 type ii SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.

C is correct answer.

Data handling is SOC2 type 1 or 2 but type 2 is prefered. SOC 2 Type II (3 - 12 months monitoring period). Assesses the effectiveness of security processes by observing operations for at least three months. 6 - 12 months recommended.

Yep - I like C

C is correct