Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?
A.
Service Organization Control (SOC) 2
B.
Statement on Standards for Attestation Engagements (SSAE) 18
ugh I really dont like questions like this. Technically based on the wording the true answer is that it would be SSAE 18 as this defines how the SOC reports are generated. But the question is would a CEO/manager give a shit what standard was being using or would they just want the SOC 2 report
Even though the officially correct answer is SSAE 18. The organization is concernted with the controls so ima go with SOC 2. SSAE 18 applies to all 3 reports. That would be the CEO answer. You would be in a world of hurt if a ceo for the audit standard to achieve confidentiality, integrity, and availability and you were like well actually the standard is defining 3 reports
Answer A) Service Organization Control (SOC) 2
The other three refer to financial standards. https://ssae-16.com/soc-1/#:~:text=The%20SOC1%20Report%20is%20what,of%20May%201%2C%202017).
Answer is B, the question clearly states "standard". The SSAE 18 is a standard that is used to generate the SOC2 report.
"The Statement on Standards for Attestation Engagements 18, or SSAE 18, is a standard that auditors can use to review the controls of technology vendors and other service providers so that businesses using those vendors can be confident that the vendors’ controls-particularly those related to cybersecurity"
https://reciprocity.com/understanding-ssae-18-requirements/
CISSP Official Study Guide pg 729 - "SOC 2 Engagements Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA."
B.
The question asks "security audit standard". Among the 4 answers, only ssae 18 is a Generally Accepted Auditing Standard. SOC1, SOC2 and SAS70 are all report types.
https://www.esgthereport.com/what-are-ssae-18-standards/
SSAE 18 is an AICPA standard that provides guidelines for evaluating the effectiveness of information security, availability, processing integrity, confidentiality, and privacy controls in cloud computing services.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 2 years, 2 months agojackdryan
1 year, 6 months agoRollizo
Highly Voted 2 years, 1 month agoJarn
Most Recent 5 months, 2 weeks agoklarak
7 months, 1 week agoeboehm
7 months, 2 weeks agoeboehm
7 months, 2 weeks agodm808
8 months agoYesPlease
11 months, 2 weeks ago7f7b53c
12 months agoDann108
1 year, 2 months agoMShaaban
1 year, 3 months agoHughJassole
1 year, 5 months agoRVoigt
1 year, 9 months agoST811
1 year, 10 months agosomkiatr
1 year, 10 months agoIvanchun
1 year, 11 months agoPetergriffith
1 year, 12 months agoFiredragon
2 years agosomkiatr
1 year, 10 months ago