Author: Jeff Cook
SOC 2 reports come in two different “types”. Simply put, they are “type 1” and “type 2”. Each one serves a purpose and provides value to the report reader. Many organizations will use a type 1 report as a means to get to type 2, or some organizations will only use a type 1 for specific purposes. So what’s the difference? Let’s dive into the details of what these variations in SOC 2 reports entail.
What This Means For You
A SOC 2 Type 1 report is as of a single point in time. The reason for that is because the report focuses on the suitability and design of the system and its controls to meet the criteria related to the categories in scope. This means that your path to earning your SOC 2 Type 1 is much shorter than achieving a SOC 2 Type 2 report. When it comes to providing evidence, you’re only providing example pieces of evidence from a specific point in time, not evidence showing controls operating over a period of time (i.e. 6-12 months). For example, in a SOC 2 Type 1, you may be asked to prove that your security awareness training control is suitably designed. You will be asked to provide evidence of a single new hire or employee that completed security awareness training. Whereas, in a SOC 2 Type 2, you will be asked to provide evidence for all or a sample (~25) of new employees that completed security awareness training during your reporting period.
This is why many organizations will use a type 1 report as a “stepping stone” after a readiness assessment is done (and remediation is completed) to show that their controls are in place, suitably designed, and are ready for a type 2 assessment. The reduced evidence requirements in a SOC 2 Type 1 make this the logical next step after your readiness assessment.
With ByteChek, our fully integrated platform streamlines and automates the SOC 2 readiness assessment process, accelerating your organization towards a SOC 2 Type 1. Within minutes of onboarding, you will receive detailed recommendations for controls not suitable and also have a clear understanding of which controls are already in place. Our platform is able to quickly identify controls that meet the criteria for your SOC 2 Type 1, and testing is complete in minutes, freeing up your team to focus on controls that need a little extra work.
Some companies will only do a type 1 report year over year as a way to show their control environment to customers, but those customers do not have a need to see operational effectiveness. A SOC 2 Type 2 report includes everything from the type 1 (suitability of design), but also shows the operational effectiveness of controls over a period of time. To be operating effectively, it has to show repeatable evidence that the control functioned as described. That’s why type 1 covers “is it designed correctly?” and type 2 covers “did it operate that way over this period of time?”.
Most companies end up on an annual SOC 2 Type 2 cycle where the prior 12 months are looked at for operational effectiveness. This report details the auditor’s testing of the controls and the results of tests as well. Most of your customers or business partners will look for a type 2 report as it is the highest level of scrutiny of the control environment. If you satisfy that, they likely are satisfied too.
Type 1 / Type 2 – similar reports, yet with different purposes. Are you looking to showcase your control environment and how it meets the criteria? Type 1 is for you. Are you looking for that, but also show how your controls operate? Type 2. In the end, you will have to determine which report is appropriate for the stage that your company and your control environment is in.
So which type of SOC 2 is right for you? It will depend on your situation, budget, and customer needs of course, and many companies will go the route of readiness > type 1 > type 2 for their SOC 2 journey. But is that your journey as well? Let us help you decide. Contact the SOC 2 experts at ByteChek to talk through your needs and help you determine your path.