Your company is a well-known cloud services provider. As a security professional, you designed a set of security controls to ensure the provisioning of trust services. To increase customer’s confidence and provide security assurance, you are seeking attestation of the suitability of your design from one of the big four accounting firms. Which of the following is the best attestation engagement?
A. Type 1 SOC 1
B. Type 2 SOC 3
C. Type 1 SOC 2
D. Type 2 SOC 2
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Type 1 SOC 2.
SOC Reports
- SOC 1 is about the internal control over financial reporting.
- SOC 2 and SOC 3 is about security control over CIA (I for process integrity) and Privacy. Type 1 is one or more times of examination (snapshot) of the suitability of design of controls. Type 2 the examination of operation effectiveness of controls over a period of time.
AICPA TSP Section 100
References
- Auditing, Attestation, and Assurance
- Trust Services Criteria (formerly Principles) for SOC 2 in 2019
- TSP 100
I think the good answer is D (Type 2 SOC 2). Best attestation refers to an examination of operation effectiveness of controls over a period of time instead once (snapshot) like with type 1.
Yes, type 2 reports typically render higher assurance. However, the question is asking about the suitability of the design only, so a type 1 report can meet the requirement. It provides a certain level of assurance within the projected schedule and budget. Type 2 reports require the validation of the operating effectiveness of controls; the process needs a longer time and more money.
As you say “Type 2 reports require the validation of the operating effectiveness of controls”. It’s the reason why it’s the best attestation engagement for a CSP. Sorry but your answer comforts option D. And thanks for all your work to help people in their CISSP learning.
Type 2 is better than Type 1 if the question doesn’t impose a context. However, the question established a context that only the design of controls be validated. Security requirements drive activities. The best solution delivers enough security instead of the highest security. So does assurance. This is the logic behind this question.