A cloud service provider (CSP) needs to provide its enterprise customers with formal assurance that its security controls have been designed appropriately and have operated effectively over the last six months. Which of the following would BEST satisfy this requirement for external stakeholders?
A System and Organization Controls (SOC) 2 Type 2 report is an attestation performed by an independent auditing firm that evaluates a service organization's controls over a period (typically 6-12 months). It specifically addresses both the suitability of the design and the operating effectiveness of the controls, making it the most appropriate option. A SOC 2 Type 1 report only covers the design of controls at a single point in time. An internal audit lacks the independence required by external stakeholders. A penetration test is a specific technical assessment and does not provide a comprehensive opinion on the overall control environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are third-party audits?
Open an interactive chat with Bash
Why are endorsements from recognized authorities more credible than self-assessments?
Open an interactive chat with Bash
What standards or frameworks commonly require third-party audits?