My company is getting a SOC 2. But how do we decide between a SOC 2 Type I or Type II?
- Congratulations! Your B2B company is growing, and potential clients want to integrate your services. Handling sensitive data is all in a day’s work for your company. You’re transparent with your customers and prospects that you have good practices for keeping that sensitive information safe and secure. And since you know your current and prospective customers and their needs well, you understand that they take on a certain amount of risk in sharing sensitive data to engage your business services.
That’s why you’re preparing to conduct a SOC 2 report — an audit and reporting process demonstrating that you are aware of your customers’ risk assessments and that you can transparently vouch for the quality of your security practices via an established review process. Your customers and prospects ultimately retain responsibility for securing their own customers’ data and information. So your customers seek the airtight assurance that a SOC 2 report provides — that your company’s efforts to keep data safe and secure are successful.
Conducting a SOC 2 report is a good business practice and an easy choice in and of itself. But there’s one more choice as you move forward with getting SOC 2 certified: Type I, or Type II?
What’s the difference between a Type I and a Type II report?
- A SOC 2 Type I report evaluates your company’s software, admin, and security systems and assesses the suitability of the design of the controls that your company has put in place. In other words, a Type I report assesses whether those controls, based on their design, are likely to perform successfully. A Type I report is furnished relative to a specific date and represents a moment in time.
- A SOC 2 Type II report similarly evaluates the design of the controls your company has put in place — but it takes the assessment further by additionally assessing those controls' operating effectiveness. This means that the Type II report not only reviews whether the controls you’ve put in place look good and should perform well — the Type II also tracks and evaluates how those controls perform over a period of time (often six months).
There are a few general facts to keep in mind about SOC 2 Type I or II reports:
- Each type of SOC 2 report lasts for 12 months.
- It is not necessary to conduct both a Type I and a Type II report.
- Companies conducting a Type I report may eventually need a Type II report. This is because customers and prospects generally prefer — and some may require — a Type II report from the companies they do business with.
Either reporting type has clear benefits, which will help you choose between the Type I report and the Type II report.
You’ll want to consider the two reports across three key decision-making categories and weigh your choice from there:
- Consider the speed with which you’d like the SOC 2 completed.
- If you need your SOC 2 fast, Type I is a strong option, as you’ll receive a report within one to two months after you’re ready for your audit. However, if there is less urgency around your SOC 2, you may go straight to a Type II report.
- Consider the strength of the reporting outcomes and how they will serve your company.
- A Type I report shows that you understand the necessary security procedures. The Type I report is issued as of a specific date and represents an auditor’s review and approval of your systems at that moment in time. It’s like your auditor saying, “I checked the company’s security controls on September 30, and everything looked good.” A Type II report shows not only that you understand the necessary security procedures but also that you follow them over a period of time. A Type II report is like your auditor saying, “I checked the company’s security controls many times between September 30 and March 30, and everything looked reasonable.” This type of systems review and audit yields more details — pointing to a more robust and trustworthy report.
- Consider the cost of the report to your company.
- It’s an expense for your company to establish its SOC 2 compliance whether you choose Type I or Type II. It’s helpful to consider that if you start with a Type I report, you may eventually need a Type II report — an additional cost. As noted above, you don’t need to conduct both a Type I and a Type II report. If you determine that your company may eventually need a Type II report, you may find it more cost-effective to go straight to a Type II report — saving the cost of performing both the Type I and Type II audits.
As your company chooses between a Type I or a Type II report, you should ask yourself these questions:
- Is our company’s SOC 2 compliance urgent?
- What level of reporting strength are we seeking to demonstrate?
- Will we eventually need a Type II report?
If your company is required to demonstrate its SOC 2 compliance, you may find that a Type II report serves you better. The Type II report is the stronger of the two, indicating that your security processes and procedures were in place and effective for a period of time — rather than at a single point in time. However, if you must demonstrate SOC 2 compliance, you may choose to produce a Type I report.
Vanta can help walk you through this decision-making process as you determine which SOC 2 report type is best for your company and customers. Vanta is “security in a box” for technology companies — a suite of interconnected tools conforming to the SOC 2 standard. We connect to your company’s software, admin, and security systems to continuously monitor your systems and services, and we help you close any gaps in your security implementation so you can achieve SOC 2 compliance — whether a Type I or Type II report best suits your company’s needs.