CompTIA Cloud+ Practice Test

What is the public report for financial controls and security reporting that does not contain sensitive information?

• A. SOC 1
• B. SOC 2
• C. SOC 3
• D. ISO 27001

The correct answer is: SOC 3

The reason SOC 3 is the correct answer lies in its purpose and design. SOC 3 reports are specifically geared towards providing assurance over a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy, while intentionally avoiding the inclusion of sensitive information. This makes them suitable for public distribution, allowing organizations to demonstrate their compliance and the effectiveness of their controls to stakeholders without revealing detailed internal processes or sensitive data. In contrast, SOC 1 and SOC 2 reports are more detailed and cater to different aspects. SOC 1 focuses on internal controls over financial reporting, primarily relevant for financial audits, and contains sensitive information that is not intended for public dissemination. SOC 2 reports, while also addressing security and compliance, often include confidential details about the service organization's systems and controls, making them unsuitable for sharing with the public. ISO 27001, on the other hand, is a standard for information security management systems (ISMS) rather than a report specifically designed for public transparency. It provides guidelines for establishing, implementing, maintaining, and continuously improving an information security management system but is not focused on public reporting in the same way that SOC 3 is. Thus, SOC 3 stands out as the report intended for public viewing that maintains