SOC 2 Type 1 vs Type 2: Get a Type 2!

Published on 12th May 2021 Author: Rob Black

If the phrase “cybersecurity questionnaire” is beginning to send your salespeople scrambling, it’s time to get a SOC 2 report. And that means it’s time to consider the value a SOC 2 Type 1 vs Type 2 would provide to your business.

Thankfully, the answer is easy!

Get a Type 2.

Okay, let’s expand on that. You should definitely get a SOC 2 Type 2 – or at least get a Type 2 after first getting a SOC 2 Type 1.

First – What is a SOC 2 again?

The American Institute of Certified Public Accountants (AICPA) SOC 2 is a cybersecurity compliance standard that provides guidelines for businesses to create their security programs.

While some compliance standards like PCI-DSS, ISO 27001, and CMMC are certifications with a strict set of prescribed controls to follow, SOC 2 allows much more flexibility in creating a security program. As long as you meet the guidelines, you can use whatever controls will work for your organization.

After receiving a SOC 2 audit from a CPA, the CPA will issue a SOC 2 attestation report. The attestation report will include information about your security program, how well it meets the guidelines, and how well you are executing it.

This report can come in two types: A SOC 2 Type 1 or a SOC 2 Type 2. The key difference in the SOC 2 Type 1 vs Type 2 matchup comes from the time period your company is audited for.

What is a SOC 2 Type 1?

A SOC 2 Type 1 is a point-in-time evaluation. A company can create its great security program, demonstrate to an auditor, and get a Type 1. The SOC 2 Type 1 attestation report will reflect whatever a company was doing exactly when they received that report.

But how can you tell if they’re sticking with that great program? After all, a security program isn’t any good if it’s not being followed well. A point-in-time evaluation like the Type 1 doesn’t provide this information at all.

That’s where SOC 2 Type 2 Comes in

A SOC 2 Type 2 report is an evaluation done over a period of time, usually 6 – 12 months. A company must demonstrate to the auditor that it is adhering to its security program over the whole time period.

To do this, companies must be sure to perform (and document) their security tasks on a monthly, quarterly, or annual basis. Though if you’re doing a six-month SOC 2 Type 2, your “annual” tasks will be “every six months” since they have to be completed within the audit period.

A company that gets a great SOC 2 Type 2 will have an awesome security program and prove that they’re maintaining it as well. It is a much more valuable report than the SOC 2 Type 1.

This is something experienced readers of a SOC 2 report will be able to quickly identify. To know what readers tend to look for in these documents, check this guide on how to read a SOC 2 report.

SOC 2 Type 1 vs Type 2: The Type 2 is More Valuable

Remember, the usual impetus to getting a SOC 2 report at all is by request of customers (or would-be customers). As a midsize B2B company is growing and beginning to attract larger clients, sales efforts will be slowed down by the security demands of larger businesses.

“Do you have a SOC 2 report? If you don’t, please fill out this several hundred question Excel questionnaire about your company’s security posture.

Oh and if it’s not good enough, we won’t buy from you.”
– Hypothetical Customer

After a couple of these, a SOC 2 report starts to feel pretty appealing.

Ultimately a SOC 2 attestation helps enable sales. It’s a report you can use to show clients that you are doing everything necessary to protect their data. If a client wants evidence of a great security program, a SOC 2 Type 2 is going to be much more valuable to them (and by extension, you).

Not only that, some companies will specifically request for a Type 2 instead of a Type 1. Customers really want to see the extra diligence that comes with a SOC 2 Type 2. They want to see a well-designed cybersecurity program that is executed and maintained consistently.

It just makes the most sense to go for the SOC 2 Type 2.

So is the SOC 2 Type 1 worthless?

While the Type 2 might be the victor of the SOC 2 Type 1 vs Type 2 matchup, there is still a place for a Type 1.

It takes at least six months to get a SOC 2 Type 2, and it usually takes much longer. If you are being pressured from clients to get a SOC 2, getting a Type 1 in the interim is a good move. Some large customers might even have contracts requiring their vendors to get a SOC 2 Type 1 within so many months and then a SOC 2 Type 2 by the end of the following year.

Aiming for the SOC 2 Type 1 is often beneficial anyways. It will help get the program in place, get it evaluated, and give you something to show for it. You’ll have a report and feedback and new knowledge about the audit process that you can use to make sure your SOC 2 Type 2 audit goes even better.

A SOC 2 Type 1 with a plan in place for the Type 2 demonstrates you are on a path to success.

In Summary

Definitely get a SOC 2 Type 2! But maybe get a SOC 2 Type 1 first.

A SOC 2 is all the evidence your company will have to show for its cybersecurity program. Be sure to put your best foot forward! Do the extra work needed to get a SOC 2 Type 2. It’s extra work, but will provide much more value to you and your customers. Especially if you go above and beyond with your Trust Services Criteria too!

Then, instead of sweating over cybersecurity questionnaires, your sales team will be able provide proof of a great security program with a SOC 2 report.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).