Effective CISSP Questions

You are the CISO working for a US-based startup company offering customer relationship management (CRM) solutions as SaaS. Your company is about to bid for a big deal that requires vendors to demonstrate assurance of security and privacy based on the AICPA’s Trust Services Criteria (TSCs). The bidding process will be closed in one month. Your company has just received its first certification, ISO 27001. To win the bid, which of the following will you best recommend?
B. SOC 2 Type I
C. SOC 2 Type II
D. SOC 3

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. SOC 2 Type I.

Considering the time required to complete a SOC 2 examination, only the SOC 2 Type I is achievable.

  • Your company, as a startup, has not completed any SOC examination and received no SOC reports. It’s not possible to complete a SOC 2 Type 2 examination in one month before the bidding is closed because the SOC 2 Type II validation period should not be less than six months.
  • SOC 2 Type I reports are at a certain date that includes a description of the service organization’s controls as of a point-in-time. As SOC 2 Type I examination does not test the operating effectiveness of controls, it takes a shorter time then SOC 2 Type II. Moreover, your company just received the ISO 27001 certificate, and the security posture is in good shape. It helps to accelerate the SOC 2 Type I examination.
  • SOC 2 reports cover the controls of security, confidentiality, Processing Integrity, availability, and privacy. Their usage is restricted; SOC 2 reports are typically intended for the first tier customers and not available to the public.
  • SOC 3 reports can be viewed as a highly simplified SOC 2 Type II report; they do not have a detailed description. It’s not feasible to complete a SOC 3 examination in one month. They are typically publicly available and used for marketing purposes.
  • PCI-DSS is about payment cards. It’s not directly applicable in the case.


Leave a Reply