There are two types of SOC 2 attestation reports:
- SOC 2 Type 1
- SOC 2 Type 2
Each serves a specific purpose and you’ll need to decide which report you want before starting the audit process.
What is SOC 2 Type 1?
SOC 2 Type 1 evaluates security controls at a single point in time to determine whether the internal controls safeguarding customer data are designed suitably and are sufficient. A Type 1 report does not contain an opinion on the operating effectiveness of controls or a detailed description of the tests of controls performed by the service auditor.
Type 1 reports can be generated in a matter of weeks.
What is SOC 2 Type 2?
A SOC 2 Type 2 report examines not only whether the internal controls safeguarding customer data are designed suitably, but also how well a service organization's compliance controls perform over a period of time (typically 3-12 months). Do they function as intended? How effective are they?
Type 2 audits can take 12 months to complete and are more expensive than Type 1 audits.
Which Should You Choose?
Type 1 and Type 2 reports both require an audit by a qualified service auditor or CPA firm. Often, the decision is about the timeline.
If they didn’t specify, it’s likely a requester wants you to have a SOC 2 Type 2. Sometimes companies get a SOC 2 Type 1 and commit to getting a Type 2 within a year, so they can begin working with the requester.
Or maybe you need to demonstrate compliance because an important enterprise prospect requires it to close the deal. But your company just recently implemented the formal systems necessary for the SOC 2, or you’ve recently made major changes to your data security systems. A Type 1 report that evaluates your information security controls as they stand today can be a short-term solution.
When deciding on a SOC 2 Type 1 vs Type 2, make sure you understand the expectations of the potential customer who is requesting it. Since a Type 1 does not require you to demonstrate your compliance over time, it provides a lower level of comfort to the potential customer and may not meet their vendor due diligence needs.