SOC 2

SOC 2 Type 1 vs Type 2: What's the Difference?

Published July 5, 2026 · 5 min read

This is the question we get asked most often, usually by a founder who just got a security questionnaire from a prospect and needs an answer within the hour. Here's the short version, then the detail that actually matters for your timeline.

The core difference

Type 1 answers the question: "Are your security controls designed correctly, as of today?" It's a snapshot audit. The auditor reviews your policies and control design at a single point in time.

Type 2 answers the question: "Have your security controls actually been operating correctly over a period of time?" The auditor observes evidence — access logs, ticket records, review sign-offs — across an observation window, typically 3 to 12 months, most commonly 6.

Why this distinction exists

A company can write a beautiful access control policy and still let ex-employees keep their logins for months. Type 1 wouldn't catch that — the policy exists, so the control is "designed" correctly. Type 2 would catch it, because it checks whether the policy was actually followed over time. That's why enterprise security teams increasingly ask for Type 2 specifically; Type 1 tells you intentions, Type 2 tells you behavior.

Type 1Type 2
What's assessedControl design at one point in timeControl operation over a period
Observation windowNone — single date3-12 months (6 is typical)
Time to report4-8 weeks after readinessReadiness period + full observation window + audit
Enterprise acceptanceOften accepted as interim proofGenerally the expected standard
Typical use caseFirst-time report, urgent deal in progressRenewal, or first report when timeline allows

Which one do you actually need?

If you have zero SOC 2 history and a prospect needs something in the next 60 days, a Type 1 report is often the realistic option — it can demonstrate your controls are in place while your Type 2 observation period runs in parallel. Many companies do a Type 1 in year one specifically to unblock deals, then move to Type 2 in year two once they have enough operating history.

If you're not under immediate deal pressure and have 6+ months of runway before you need a report, skip Type 1 entirely and go straight for Type 2 — it's the stronger signal and you'll need it eventually anyway.

Common mistake: Founders sometimes assume Type 1 is "SOC 2 lite" and cheaper to maintain long-term. In practice, most enterprise buyers will ask for Type 2 within a year or two regardless, so budget and plan for the transition rather than treating Type 1 as a permanent solution.

What the observation window actually requires

During the Type 2 window, you're not just "waiting it out" — your team needs to actually execute the controls consistently: access reviews on schedule, incident response drills documented, vendor risk assessments completed, security training tracked. The auditor will sample evidence from across the whole window, so gaps in month 3 show up just as clearly as gaps in month 1.

Bottom line

Need a SOC 2 report on a real deadline?

We'll map out whether Type 1, Type 2, or both make sense for your timeline — free.