There are two types of SOC 2:
Audit Period | Description | |
SOC 2 Type I | 1 day | Assess the design of security processes at a specific point in time |
SOC 2 Type II | 3 - 12 months | Assess the effectiveness of security processes by observing operations for a period of at least 3 months (6 months recommended). |
A SOC 2 Type I and Type II address the same subject matter, but a Type I report does not contain an opinion on the operating effectiveness of controls or a detailed description of tests of controls performed by the service auditor.
If they didn’t specify, the requester will most likely want you to have a SOC 2 Type II. Usually, companies will get a SOC 2 Type I and commit to getting a Type II within a year, so they can begin working with the requester. With Secureframe, you can go straight to a Type II audit with ease.
Note: A SOC 3 report is a simplified version of a SOC 2 report. These are typically posted publicly and used as marketing material. Most companies don’t get one since it has the same exact content as a SOC 2, but auditors will provide one for an additional cost.