← Glossary·Audit

SOC 2 Type I vs Type II

SOC 2

Type I = design of controls at a point in time. Type II = design + operating effectiveness over a period (typically 3–12 months).

A SOC 2 Type I report opines on the suitability of the design of controls as of a single date. A Type II report additionally tests whether those controls operated effectively across an observation window (commonly 6 months for first-year, 12 months thereafter).

Why it matters
Enterprise procurement almost always requires Type II. Type I exists primarily to satisfy interim asks and accelerate sales while waiting for the first Type II window to close.

Related terms

SOC 2
AICPA attestation report on a service organisation's controls across five Trust Services Criteria.
Audit Period (Observation Window)
The continuous date range during which a SOC 2 Type II or ISO 27001 surveillance audit tests operating effectiveness.
Trust Services Criteria (TSC)
The five AICPA criteria categories underpinning SOC 2: Security, Availability, Confidentiality, Processing Integrity, Privacy.

Does your program actually cover SOC 2 Type I vs Type II?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary