Domain 6 of 8 · Chapter 5 of 5

Security Audits

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What an audit is, and who performs it
  • Attestation reports: SOC 1/2/3 and ISO 27001
  • Auditing in cloud and hybrid environments

AICPA SOC report types: subject, audience, and Type I vs Type II

ReportWhat it coversDistributionType I vs Type II
SOC 1Controls at a service organization relevant to a user entity's financial reporting (ICFR)Restricted: the service org, its user entities, and their auditorsType I = design at a point in time; Type II = design + operating effectiveness over a period
SOC 2Controls against the five Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy)Restricted: knowledgeable parties under NDA (customers, regulators, partners)Type I = design at a point in time; Type II = design + operating effectiveness over a period
SOC 3Same Trust Services Criteria as SOC 2, but summary-level with no detailed test resultsGeneral use: may be freely distributed and posted publiclyIssued as a general-use report (no Type I/II split presented to readers)
ISO/IEC 27001 certification auditConformance of an Information Security Management System (ISMS) to the ISO/IEC 27001 standardCertificate is public; the audit report itself is held by the organizationCertification (initial) then periodic surveillance and recertification audits

Decision tree

Who must rely on the result? Board / management only Outside customer / regulator Internal audit Can you audit the target directly? Yes (on-prem / your config) No (cloud provider) Assurance about what? Rely on provider SOC 2 Type II + right-to-audit clause Financial reporting Security, over a period Public summary SOC 1 (ICFR) SOC 2 Type II SOC 3 (public) Always: auditor independence + an agreed standard make it assurance

Cheat sheet

  • An audit is independent assurance against a standard, not a self-assessment
  • The security leader usually facilitates the audit; the independent auditor renders the opinion
  • Classify an audit as internal, external, or third-party by who relies on the result
  • SOC 1 covers financial-reporting controls; SOC 2 covers security; SOC 3 is the public summary
  • SOC 2 measures controls against the five Trust Services Criteria, with security mandatory
  • SOC 1 and SOC 2 are restricted reports; only SOC 3 is general-use
  • Type I opines on design at a point in time; Type II tests operating effectiveness over a period
  • ISO/IEC 27001 certification is a public conformance badge, not a SOC-style report
  • You cannot audit a hyperscale cloud provider directly, so you rely on its attestation
  • The right-to-audit clause must be negotiated into the contract before you sign
  • Match the audit approach to where the system runs: on-prem direct, cloud shared, hybrid combined
  • An external SOC examination is performed by an independent CPA firm

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations Whitepaper
  2. System and Organization Controls (SOC) Suite of Services
  3. ISO/IEC 27001: Information security management systems: Requirements
  4. AWS Shared Responsibility Model (AWS Risk and Compliance whitepaper)