Havoc Shield Blog

Movies, Photographs, and SOC 2 Type 1 vs Type 2

Written by Brian Fritton | Jan 29, 2021 6:00:00 AM

Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2?  If your answer was "all of the above" then you've come to the right place.

Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2.  Lets see if we can clear that up. Here's what the AICPA says about it:

A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

Clear enough? If not, read on for an explanation that we think might be just a bit easier to remember.

Photographs vs Movies

We love helping clients navigate their way through to a successful SOC 2 report. We also love photographs and movies, and in the rarest of opportunities to combine business and leisure, for once the two have something to do with each other.  We'll explain.

Ever see a photograph of a scene from a movie -- perhaps on a poster outside of a movie theatre?  You get a good sense for what the movie might be about -- is it a romantic comedy, or a horror film?  An action film, or a documentary?  We'll bet that a well selected photograph will be enough to let you draw that conclusion.

But what are the plot points -- what's the opening scene, the dilemmas along the way, the ups and downs of the plot, and the conclusion?  We doubt you'll deduce that from a photograph of a single moment.

SOC 2 Type 1 vs Type 2

Most companies that head down the path of obtaining a SOC 2 report very quickly arrive at an important decision.  A distinction that most companies aren't familiar with, is the choice between SOC 2 Type 1 vs Type 2.  If the quote at the top of this post didn't clear up the distinction, here's the way we explain it at Havoc Shield.

If you are in search of a SOC 2 report, that's going to involve an auditor evaluating your approach to security.  A SOC 2 Type 1 report involves an auditor evaluating the suitability of the security controls that you disclose to them.  Think of it as a photograph of a moment in time.

A SOC 2 Type 2 report involves an auditor evaluating the suitability of the security controls that you disclose to them, over a period of time, wherein they observe the manner in which you bring those controls to life through your day-to-day practices.  Think of it as a movie.  A movie about the way that you implement your security practices over a period of time.

Easier to remember, right?

Getting To SOC 2

No matter whether you choose to pursue SOC 2 Type 1 vs Type 2, you'll want to prepare for the process. If you'd like help establishing sufficient infosec policies, security controls, and associated reports and audit trails, please be in touch and we'll be glad to help you prepare for SOC 2.