Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?
Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?
Service Organization Control (SOC) 2 reports specifically focus on the controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy of data, which directly relate to the concepts of confidentiality, integrity, and availability. SOC 1 reports, on the other hand, are more focused on the controls related to financial reporting. Therefore, SOC 2 is the most appropriate standard for understanding a vendor's information systems in relation to confidentiality, integrity, and availability.
Soc 2 for sure
A is correct
SOC1 it is only financial... it is SOC2
B. The question asks "security audit standard". Among the 4 answers, only ssae 18 is a Generally Accepted Auditing Standard. SOC1, SOC2 and SAS70 are all report types. https://www.esgthereport.com/what-are-ssae-18-standards/ SSAE 18 is an AICPA standard that provides guidelines for evaluating the effectiveness of information security, availability, processing integrity, confidentiality, and privacy controls in cloud computing services.
Agreed.
CISSP Official Study Guide pg 729 - "SOC 2 Engagements Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA."
B (SSAE) would be correct. Reference : https://www.advancedbusinesssolutions.com/whats-a-soc-compliant-service-provider/
SSAE 18 is the standard, which is what the question is looking for.
SSAE 18 seems to be the answer here: https://reciprocity.com/resources/what-is-a-ssae-18-audit/
ugh I really dont like questions like this. Technically based on the wording the true answer is that it would be SSAE 18 as this defines how the SOC reports are generated. But the question is would a CEO/manager give a shit what standard was being using or would they just want the SOC 2 report
Even though the officially correct answer is SSAE 18. The organization is concernted with the controls so ima go with SOC 2. SSAE 18 applies to all 3 reports. That would be the CEO answer. You would be in a world of hurt if a ceo for the audit standard to achieve confidentiality, integrity, and availability and you were like well actually the standard is defining 3 reports
The question is asking about an auditing standard SSAE 18 is a standard. SOC 1 an 2 are reports.. and SOC reports are defined in the SSAE 18
Answer A) Service Organization Control (SOC) 2 The other three refer to financial standards. https://ssae-16.com/soc-1/#:~:text=The%20SOC1%20Report%20is%20what,of%20May%201%2C%202017).
B. Soc is not a standard
SOC 2 is a voluntary compliance standard for service organizations,
It is A.
Answer is B, the question clearly states "standard". The SSAE 18 is a standard that is used to generate the SOC2 report. "The Statement on Standards for Attestation Engagements 18, or SSAE 18, is a standard that auditors can use to review the controls of technology vendors and other service providers so that businesses using those vendors can be confident that the vendors’ controls-particularly those related to cybersecurity" https://reciprocity.com/understanding-ssae-18-requirements/
Why A? SOC2 should be confidential
Select A, SOC 1 is about the financial report?
Definitely A... SOC 2 provides, CIA + Privacy + Process Integrity + Security (Data Loss etc.)