The correct answer is SOC 2 Type II shows that controls were operating effectively over a sample period.

A SOC 2 Type II shows that controls were operating effectively over a sample period report demonstrates that an organization not only designed controls but also tested them over time to show they operated effectively. The testing period is sampled over weeks or months which provides evidence of sustained operation rather than a snapshot.

ISO 27001 certification is incorrect because ISO 27001 is a separate international standard for an information security management system and not a SOC 2 report. Organizations may hold both certifications or reports but ISO 27001 follows its own audit and certification process.

SOC 2 Type II reports are published publicly for everyone to view is incorrect because SOC 2 reports are typically restricted. Service organizations generally share them with customers or regulators and often under confidentiality agreements rather than posting them for the public.

SOC 2 Type II focuses exclusively on privacy controls is incorrect because SOC 2 evaluates one or more trust service criteria which include security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report is not limited to privacy alone.

Full AWS Practitioner Certification Question