YouTube
shieldCISSP Practice Domain 6 — Security Assessment and Testing Q31 of 120

A SOC 2 Type II report differs from Type I in that it:

A CISSP practice question covering Domain 6: Security Assessment and Testing. Try answering before reading the explanation below.

Show options & answer
A
Covers only design of controls at a point in time
B
Covers operating effectiveness of controls over a period (typically 6-12 months)
✓ Correct answer
C
Is required only for publicly traded companies
D
Is performed by the company's internal audit team
Why "Covers operating effectiveness of controls over a period (typically 6-12 months)" is the right answer

SOC 2 Type I evaluates control design at a point in time. Type II adds operating-effectiveness testing over a defined audit window (commonly 6 or 12 months). Both are performed by independent CPAs, not internal audit. SOC 2 is voluntary, not SOX.

Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.
Start full test →

Other practice tests

All practice tests CISSP videos Glossary