My company is getting a SOC 2. But how do we decide between a SOC 2 Type I or Type II?

• Congratulations! Your B2B company is growing, and potential clients want to integrate your services. For your company, handling sensitive data is all in a day’s work. You’re clear with your customers and prospects that you have good practices in place for keeping that sensitive information safe and secure. And since you know your current and prospective customers and their needs well, you understand that they take on a certain amount of risk in sharing sensitive data in order to engage your business services.

That’s why you’re preparing to conduct a SOC 2 report — an audit and reporting process that demonstrates not only that you are aware of your customers’ risk assessments but that you can transparently vouch for the quality of your security practices via an established review process. Your customers and prospects ultimately retain responsibility for the security of their own customers’ data and information, and so your customers seek the airtight assurance that a SOC 2 report provides — that your company’s efforts to keep data safe and secure are successful. 

Conducting a SOC 2 report is a good business practice and an easy choice in and of itself. But there’s one more choice to make as you move forward with getting SOC 2 certified: Type I, or Type II? 

What’s the difference between a Type I and a Type II report?

• A SOC 2 Type I report evaluates your company’s software, admin, and security systems and assesses the suitability of the design of the controls that your company has put in place. In other words, a Type I report assesses whether those controls, based on their design, are likely to perform successfully. A Type I report is furnished relative to a specific date and represents a moment in time. 

• A SOC 2 Type II report similarly evaluates the design of the controls that your company has put in place — but it takes the assessment a step further by additionally evaluating the operating effectiveness of those controls. This means that the Type II report not only reviews whether the controls you’ve put in place look good and should perform well — the Type II also tracks and evaluates how those controls actually perform over a period of time (often six months). 

There are a few general facts to keep in mind about SOC 2 Type I or II reports: 

• Each type of SOC 2 report lasts for 12 months. 
• It is not necessary to conduct both a Type I and a Type II report. 
• Companies that first conduct a Type I report may find that they eventually need a Type II report. This is because customers and prospects generally prefer — and some may require — a Type II report from the companies with which they do business.

There are clear benefits to either reporting type that will help you choose between the Type I report or the Type II report.

You’ll want to consider the two reports across three key decision-making categories and weigh your choice from there: 

• Consider the speed with which you’d like the SOC 2 completed. 
  • If you need your SOC 2 fast, the Type I is a strong option, as you’ll receive a report within one to two months after you’re ready for your audit. However, if there is less urgency around your SOC 2, you may choose to go straight to a Type II report.

• Consider the strength of the reporting outcomes and how they will serve your company. 
  • A Type I report shows that you understand the necessary security procedures. The Type I report is issued as of a specific date and represents an auditor’s review and approval of your systems at that moment in time. It’s like your auditor saying, “I checked the company’s security controls on September 30, and everything looked good.” A Type II report shows not only that you understand the necessary security procedures, but that you follow them over a period of time. A Type II report is like your auditor saying, “I checked the company’s security controls many times between September 30 and March 30, and everything looked reasonable.” This type of systems review and audit yields more details — pointing to a stronger and more trustworthy report. 

• Consider the cost of the report to your company. 
  • It’s an expense for your company to establish its SOC 2 compliance whether you choose Type I or Type II. It’s useful to consider that if you start with a Type I report, you may eventually need a Type II report as well — an additional cost. As noted above, you don’t need to conduct both a Type I and a Type II report. If you determine that your company may eventually need a Type II report, you may find that it is more cost-effective to go straight to a Type II report — saving the cost of performing both the Type I and Type II audits. 

As your company chooses between a Type I or a Type II report, you should ask yourself these questions: 

• Is our company’s SOC 2 compliance urgent? 
• What level of reporting strength are we seeking to demonstrate? 
• Will we eventually need a Type II report?  

If your company is required to demonstrate its SOC 2 compliance, you may find overall that a Type II report serves you better. The Type II report is the stronger of the two, demonstrating that your security processes and procedures were in place and effective for a period of time — rather than at a single point in time. However, if it’s urgent that you demonstrate SOC 2 compliance, you may choose to produce a Type I report. And if you choose a Type I report, you’ll know as well that you may need to conduct a Type II report in the future.

Vanta can help walk you through this decision-making process as you determine which SOC 2 report type is best for your company and your customers. Vanta is “security in a box” for technology companies — a suite of interconnected tools conforming to the SOC 2 standard. We connect to your company’s software, admin, and security systems to continuously monitor your systems and services, and we help you close any gaps in your security implementation so you can achieve SOC 2 compliance — whether a Type I or Type II report best suits your company’s needs.