Sofia wants to provide security assessment information to customers who want to use her organization's cloud services. Which of the following options should she select to ensure that the greatest number of customers are satisfied with the assessment information?

Using a third-party auditor from a well-known and well-regarded firm is often the best option when providing audit and compliance information to third parties. Sofia could engage an appropriate vendor for a SOC 2 Type II engagement as one example of a reasonable option to provide detail to her customers. Internal staff assessing against a common standard like COBIT would be the next most acceptable option on this list, with an internal standard less useful than that. Finally, relying on internal personnel not specialized in audits proves to be the least effective strategy in this context.