"A full day of committed work ! What an inspiration!!"– Luke Ahmed

Today is Day 21 of Yihenew’s CISSP study plan, digging into audit reports and compliance frameworks that every CISSP candidate should understand: SOC 1, SOC 2, SOX, and the difference between Type I and Type II reports.

Key Areas Covered:

• SOC Reports Overview — Service Organization Control (SOC) reports are produced by external auditors to evaluate internal controls of service providers.

• SOC 1 — Focuses on controls relevant to financial reporting (important for companies handling financial transactions or data that impacts financial statements).

• SOC 2 — Focuses on Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Often required for cloud and SaaS providers.

• SOX (Sarbanes-Oxley Act) — A U.S. law requiring companies to maintain strong internal controls over financial reporting. SOC 1 reports are often tied to SOX compliance.

• Type I vs. Type II Reports:

  • Type I — A snapshot in time. Tests if the controls are designed effectively.

  • Type II — Observed over a period of time (usually 6–12 months). Tests if the controls are operating effectively.

• CISSP Exam Tie-In — Expect questions that test your ability to match SOC 1 with financial reporting, SOC 2 with security/availability/privacy, and identify the difference between design effectiveness (Type I) vs operating effectiveness (Type II).

In this CISSP study plan session, Yihenew learned that understanding SOC reports isn’t just about compliance — it’s about how auditors provide assurance to stakeholders that controls https://www.studynotesandtheory.com/single-post/cissp-study-plan-day-19-vulnerability-testingare not only in place, but functioning as intended.

Quick CISSP Practice Question

Which report best demonstrates that a service provider’s controls are not only designed effectively but also working over time?

A. SOC 1 Type I

B. SOC 1 Type II

C. SOC 2 Type I

D. SOC 2 Type II

✅ Correct Answer: D. SOC 2 Type II

Explanation:

• Type I = design effectiveness at a single point in time.

• Type II = operating effectiveness over a period of time.

• SOC 1 relates to financial reporting, while SOC 2 relates to trust services criteria.Think Like a Manager: On the exam, if stakeholders want proof controls are working, choose Type II. If they only want assurance controls exist on paper, that’s Type I.

Check out Yani's TikTok or see Day 20 or Day 22.

👉 Can you take the Yani Challenge?

55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:

Course

Luke's CISSP Course (2 months access, $89.98)

One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)

Books, Notes, and Practice Questions

All-In-One Study Guide by Shon Harris (Around $45)

Sybex 10th Edition (Around $52.55)

Official CISSP Practice Tests, 4th Edition by Mike Chapple & David Seidl (Around $35)

How To Think Like A Manager for the CISSP Exam ($29.99)

Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.

📚 Study Plan (55 Days of Dedication):

- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).

- Weekends: 5–6 hours of deep study sessions.

Pass CISSP in first attempt within 100 questions.

Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.

If Yihenew could do it, so can you.

All the best Future CISSP. You can feel free to contact me anytime as well.

Thank you.

Luke Ahmed