Your company is a well-known cloud services provider. As a security professional, you designed a set of security controls to ensure the provisioning of trust services. To increase customer’s confidence and provide security assurance, you are seeking attestation of the suitability of your design from one of the big four accounting firms. Which of the following is the best attestation engagement?
A. Type 1 SOC 1
B. Type 2 SOC 3
C. Type 1 SOC 2
D. Type 2 SOC 2
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Type 1 SOC 2.
- SOC 1 is about the internal control over financial reporting.
- SOC 2 and SOC 3 is about security control over CIA (I for process integrity) and Privacy. Type 1 is one or more times of examination (snapshot) of the suitability of design of controls. Type 2 the examination of operation effectiveness of controls over a period of time.
- Auditing, Attestation, and Assurance
- Trust Services Criteria (formerly Principles) for SOC 2 in 2019
- TSP 100