What is a SOC 2 Type II report?
A SOC 2 Type II report attests to a company’s security rules (“controls”) over a period of time (typically 3-12 months). A Type II report demonstrates that a company has established the required security procedures and has followed those procedures over time.
For example, a Type II report is like an auditor saying, “I checked the company’s security controls many times between September 30 and March 30, and everything looked reasonable.” This type of systems review results in an audit that yields a stronger and more trustworthy report.
There are two types of SOC 2 reports:
- Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles as of a specified date.
- Type II details the operational effectiveness of those systems throughout a specified period.
Obtaining a Type I report is faster, while a Type II report is more detailed and trusted. Customers and prospects generally prefer—and sometimes even require—a SOC 2 Type II report.
As the number and severity of third-party breaches continue to rise, companies are scrutinizing more closely not just on how they handle data, but how their vendors do as well. For security leaders, this means more security reviews are coming across their desks every day. Join us to learn how Vanta Trust Center can help streamline security reviews.