Explain SOC 2 Type I vs Type II and the Trust Services Criteria.
Short answer
A SOC 2 Type I report assesses whether a service organisation's controls are suitably designed at a single point in time. A Type II report goes further: it tests whether those controls operated effectively over a review period, typically 3 to 12 months. Both are based on the AICPA Trust Services Criteria — Security (the required common criteria), plus optional Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 is an attestation report produced by an independent CPA firm against the AICPA's Trust Services Criteria. It is the de facto trust signal SaaS vendors give to enterprise buyers. Interviewers want to know you understand what each report actually proves.
Type I vs Type II
- Type I answers: are the controls suitably designed at a specific date? It is a snapshot. It confirms the right controls exist on paper as of, say, 30 June.
- Type II answers: did those controls operate effectively over a window of time? The auditor samples evidence across a review period (commonly 3, 6, or 12 months) to confirm the controls were actually working, not just designed.
A Type I is faster to obtain and often used by younger companies for their first report. A Type II carries far more weight because it demonstrates sustained operation — which is why most enterprise procurement teams require it.
The Trust Services Criteria
SOC 2 is scoped against five categories:
- Security — the common criteria, mandatory in every engagement.
- Availability — system uptime and resilience commitments.
- Processing Integrity — processing is complete, valid, accurate, timely.
- Confidentiality — protection of information designated confidential.
- Privacy — handling of personal information per the entity's notice.
Only Security is required; the organisation chooses which of the others to include based on customer commitments.
Why this matters
A good candidate explains that Type II proves effectiveness over time and that Security is the one non-negotiable criterion. Bonus points for noting SOC 2 is an attestation (not a pass/fail certification) and contrasting it with SOC 1, which targets financial-reporting controls.
Likely follow-ups
- Why would a customer insist on a Type II rather than accept a Type I?
- Which Trust Services Criterion is mandatory in every SOC 2 engagement?
- How does a SOC 2 report differ from a SOC 1 (ICFR) report?