"Man if you only knew how similarly we both studied for the CISSP. Wake up in the morning with a blanket as well! Then did the same at night! Let's go"– Luke Ahmed

Today is Day 22 of Yihenew’s CISSP study plan, going beyond definitions to see SOC reports in real life—how organizations actually use SOC 1, SOC 2, SOC 3, and Type I vs Type II reports to make risk decisions.

Key Areas Covered:

• SOC 1 (Financial Reporting) — For vendors whose services can impact your financial statements (e.g., payroll processors, benefits admins). Auditors use SOC 1 to support SOX controls.

• SOC 2 (Trust Services Criteria) — For SaaS/cloud providers handling customer data. Focuses on Security, Availability, Processing Integrity, Confidentiality, Privacy. Typical for CRM, HRIS, identity providers.

• SOC 3 (Public Summary of SOC 2) — A marketing-friendly version you can share publicly. High-level; not a substitute for SOC 2 when performing due diligence.

• Type I vs Type II — Type I = control design at a point in time. Type II = operating effectiveness over a period (usually 6–12 months).

• Report Anatomy — System description, auditor opinion, controls/criteria, tests and results, noted exceptions. Watch for CUECs (Complementary User Entity Controls: your responsibilities) and subservice organizations (carve-out vs inclusive method).

• Procurement Reality — Expect NDAs to access SOC 2; use bridge letters to cover gaps after the report period; read exceptions and management responses; align findings to vendor risk and contractual requirements.

  https://www.studynotesandtheory.com/single-post/cissp-study-plan-day-19-vulnerability-testing

• CISSP Exam Tie-In — Map business need → correct report and assurance level → Type I vs Type II. SOC 1 for financial impact; SOC 2 for security criteria; SOC 3 is public summary only.

• 
  

In this CISSP study plan session, Yihenew connected the dots between compliance reports and business assurance: what executives, auditors, and customers actually need to see before trusting a third party.

Quick CISSP Practice Question

Your company is selecting a new payroll SaaS provider. Finance and external auditors need proof that the vendor’s controls related to financial reporting operated effectively over the last 12 months. Which report best satisfies this?

A. SOC 1 Type I

B. SOC 1 Type II

C. SOC 2 Type I (Security & Availability)

D. SOC 3

✅ Correct Answer: B. SOC 1 Type II

Explanation:

• SOC 1 addresses financial reporting; SOC 2 addresses trust criteria for security/privacy—not financial statements.

• Type II demonstrates operating effectiveness over time; Type I is a point-in-time design review.

• SOC 3 is a high-level public summary and insufficient for audit reliance.

• 
  

Think Like a Manager: Start from the business requirement: “Finance and auditors need assurance of controls working over time on a process that affects financial reporting.” That sentence itself points you to SOC 1 Type II—right domain (financial) and right level of assurance (operating effectiveness across a period).

Check out Yani's TikTok or see Day 21 or Day 23.

👉 Can you take the Yani Challenge?

55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:

Course

Luke's CISSP Course (2 months access, $89.98)

One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)

Books, Notes, and Practice Questions

All-In-One Study Guide by Shon Harris (Around $45)

Sybex 10th Edition (Around $52.55)

Official CISSP Practice Tests, 4th Edition by Mike Chapple & David Seidl (Around $35)

How To Think Like A Manager for the CISSP Exam ($29.99)

Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.

📚 Study Plan (55 Days of Dedication):

- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).

- Weekends: 5–6 hours of deep study sessions.

Pass CISSP in first attempt within 100 questions.

Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.

If Yihenew could do it, so can you.

All the best Future CISSP. You can feel free to contact me anytime as well.

Thank you.

Luke Ahmed