CPA Exam Lab

ISC cheat sheet & quick reference

ISC is light on math and heavy on frameworks, so this sheet gathers the comparison tables that keep coming up: SOC reports, trust services criteria, access and encryption models, controls, recovery objectives, and the incident response lifecycle. Memorize the distinctions and most questions resolve themselves.

1. SOC report types: SOC 1 vs SOC 2 vs SOC 3 (Topic I11)

FeatureSOC 1SOC 2SOC 3
Subject matterControls relevant to user ICFRControls meeting trust services criteriaControls meeting trust services criteria
StandardAT-C 320 (SSAE 18)AT-C 105 and 205 + TSCAT-C 105 and 205 + TSC
Intended usersUser entities and their auditorsManagement, regulators, knowledgeable partnersGeneral public / anyone
Use restrictionRestrictedGenerally restrictedGeneral use (no restriction)
Type 1 / Type 2Both availableBoth availableType 2 nature only
SOC 1 is about financial reporting; SOC 2 and SOC 3 are about the trust services criteria. SOC 3 is the only general-use report of the three, so it is the one you can post publicly on a website.

2. Type 1 vs Type 2, carve-out vs inclusive, CUECs (Topic I11)

DimensionType 1Type 2
Period coveredA point in time (single date)A period of time (e.g., 6 to 12 months)
Design of controlsEvaluatedEvaluated
Operating effectivenessNot evaluatedEvaluated
Tests of controls and resultsNot includedIncluded
Complementary user entity controls (CUECs) are controls the service organization assumes the user entity performs. They are described in the report but NOT tested by the service auditor; the user entity and its auditor must confirm they exist.

3. Trust services criteria & SOC 2 report components (Topic I12)

CategoryCore question it answersRequired?
Security (common criteria)Is the system protected against unauthorized access, disclosure, and damage?Always required
AvailabilityIs the system available for operation and use as committed?Optional
Processing IntegrityIs processing complete, valid, accurate, timely, and authorized?Optional
ConfidentialityIs information designated confidential protected as committed?Optional
PrivacyIs personal information handled per the privacy notice and criteria?Optional
Security is the only mandatory category, you cannot issue a SOC 2 without it. Confidentiality covers any data designated confidential; Privacy deals exclusively with personal information.
SOC 2 componentResponsible partyIn Type 1?In Type 2?
Description of the systemManagementYesYes
Written assertionManagementYesYes
Service auditor’s report (opinion)Service auditorYesYes
Tests of controls and resultsService auditorNoYes

4. SOC opinion types & triggers (Topic I13)

OpinionWhen issuedSeverity
Unqualified (unmodified)Description fair, controls suitably designed and (Type 2) operating effectively; no material exceptionsClean
QualifiedA material but not pervasive problem (e.g., one control or objective fails)Material, isolated
AdverseProblems are material AND pervasive (broad control failure or materially misstated description)Material, pervasive
DisclaimerAuditor cannot obtain sufficient evidence; possible effects material and pervasiveCannot conclude
A disclaimer stems from a scope limitation (the auditor cannot get evidence), NOT from a control that simply failed. A failed control points to qualified (isolated) or adverse (pervasive). Management owns the description and assertion; the service auditor owns the opinion and the tests and results.

5. CIA triad & defense in depth (Topic I6)

GoalThreat to itExample control
ConfidentialityUnauthorized disclosureEncryption, access controls
IntegrityUnauthorized or accidental alterationHashing, file-integrity monitoring
AvailabilityOutage, denial of serviceBackups, redundancy, failover

6. NIST CSF functions in order (Topic I6)

FunctionPurposeExample activity
1. IdentifyUnderstand assets and riskAsset inventory, risk assessment
2. ProtectImplement safeguardsAccess controls, encryption, training
3. DetectSpot security eventsSIEM, intrusion detection, log review
4. RespondAct on incidentsContainment, communication
5. RecoverRestore operationsBackups, recovery planning
Memorize the order: Identify → Protect → Detect → Respond → Recover. Protect comes before Detect, and Detect comes before Respond.

7. Access control models & authentication (Topic I7)

Factor categoryDescriptionExample
Something you knowKnowledge held by the userPassword, PIN
Something you haveA physical or digital tokenSmart card, phone authenticator
Something you areA biometric traitFingerprint, facial recognition
MFA requires two or more factors from DIFFERENT categories. A password plus a security question is still single-factor (both are something you know). Authentication (who you are) always comes before authorization (what you may do).

8. Encryption: symmetric, asymmetric, hashing, PKI (Topic I7)

TechniqueKeysPrimary use
SymmetricOne shared keyFast bulk encryption
AsymmetricPublic/private key pairKey exchange, digital signatures
HashingNo key (one-way)Integrity verification, password storage
Hashing is not encryption, it is one-way and cannot be reversed to reveal the original, so never pick it as a way to keep data confidential and recoverable. PKI issues digital certificates that bind a public key to a verified identity, enabling trusted asymmetric encryption.

9. ITGCs vs application controls (Topic I3)

IT general controls (ITGCs) are pervasive controls over the whole environment, in four categories: access security, change management, IT operations (job scheduling, monitoring, backup), and systems development. Application controls sit inside one application and split into input, processing, and output.

CategoryPurposeExamples
Input controlsValidate data entering the systemField, limit, range, validity, completeness checks; check digit
Processing controlsEnsure complete and accurate processingBatch totals, hash totals, run-to-run totals, record counts
Output controlsEnsure accurate, complete, authorized outputOutput-to-input reconciliation, distribution controls, exception reports
Automated application controls can be relied upon ONLY when the underlying ITGCs, especially change management and access, are effective. Weak general controls mean the application control could be altered or bypassed without detection.

10. SDLC & system conversion approaches (Topic I2)

SDLC phases:

Planning → analysis (requirements) → design → development (coding) → testing → implementation (conversion and go-live) → maintenance

ApproachHow it worksRiskCost
ParallelOld and new run together; results comparedLowestHighest
PilotDeploy to one site or group first, then roll outLowerModerate
PhasedImplement in stages or modules over timeLowerModerate
Direct (big-bang)Switch off old, turn on new at onceHighestLowest
Parallel is safest but priciest; direct cutover is cheapest but riskiest with no fallback. Every change must be tested off production and deployed by someone OTHER than the developer.

11. Business resilience: RTO, RPO & recovery sites (Topic I5)

RTO (recovery time objective): the maximum acceptable downtime, that is, how long the business can be down. A short RTO points to a hot site.

RPO (recovery point objective): the maximum acceptable data loss measured in time. It drives backup frequency, a short RPO needs frequent backups or continuous replication.

Site typeReadinessRecovery timeCost
Hot siteFully equipped, near-real-time dataShortestHighest
Warm siteHardware and connectivity; data must be loadedModerateModerate
Cold siteSpace and utilities onlyLongestLowest

12. Incident response lifecycle & monitoring (Topic I10)

PhaseGoalExample action
1. PreparationBe ready before incidentsPlans, tools, training
2. Detection and AnalysisIdentify and scope the incidentInvestigate alerts
3. ContainmentLimit spread and damageIsolate affected systems
4. EradicationRemove the root causeDelete malware, patch entry point
5. RecoveryRestore normal operationsRebuild and restore from backup
6. Lessons LearnedImprove for the futurePost-incident review
Containment must precede eradication and recovery. Restoring systems before removing the cause invites reinfection.
AttributeIDSIPS
ActionAlerts only (passive)Blocks traffic (active)
PlacementOut of band, monitors a copyInline, in the traffic path
Risk if it failsMissed alertCan disrupt legitimate traffic

13. Threats quick reference (Topic I8)

Threat: a potential cause of harm (a hacker, a flood).

Vulnerability: a weakness a threat can exploit (an unpatched server).

Risk: likelihood that a threat exploits a vulnerability, times the resulting impact.

MalwareDefining traitPrimary harm
VirusAttaches to a file; needs a user to run itCorruption, spread
WormSelf-replicates across networksRapid spread, congestion
RansomwareEncrypts data, demands paymentLoss of availability, extortion
TrojanDisguised as legitimate softwareHidden backdoor, theft
SpywareSecretly collects informationLoss of confidentiality
AttributeVulnerability scanningPenetration testing
ApproachAutomated, broadOften manual, deep
ExploitationIdentifies but does not exploitActually attempts exploitation
FrequencyFrequent (e.g., weekly)Periodic (e.g., quarterly or annual)
A threat is the attacker; a vulnerability is the weakness, do not swap them. Scanning finds known weaknesses; penetration testing proves whether they can actually be exploited.

Keep studying

This cheat sheet pairs best with active practice. Jump into the ISC study guide, and grab the sibling cheat sheets for the other sections below.