Security Audits
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- What an audit is, and who performs it
- Attestation reports: SOC 1/2/3 and ISO 27001
- Auditing in cloud and hybrid environments
AICPA SOC report types: subject, audience, and Type I vs Type II
| Report | What it covers | Distribution | Type I vs Type II |
|---|---|---|---|
| SOC 1 | Controls at a service organization relevant to a user entity's financial reporting (ICFR) | Restricted: the service org, its user entities, and their auditors | Type I = design at a point in time; Type II = design + operating effectiveness over a period |
| SOC 2 | Controls against the five Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) | Restricted: knowledgeable parties under NDA (customers, regulators, partners) | Type I = design at a point in time; Type II = design + operating effectiveness over a period |
| SOC 3 | Same Trust Services Criteria as SOC 2, but summary-level with no detailed test results | General use: may be freely distributed and posted publicly | Issued as a general-use report (no Type I/II split presented to readers) |
| ISO/IEC 27001 certification audit | Conformance of an Information Security Management System (ISMS) to the ISO/IEC 27001 standard | Certificate is public; the audit report itself is held by the organization | Certification (initial) then periodic surveillance and recertification audits |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations Whitepaper
- System and Organization Controls (SOC) Suite of Services
- ISO/IEC 27001: Information security management systems: Requirements
- AWS Shared Responsibility Model (AWS Risk and Compliance whitepaper)