What is a SOC 2 Type II report?
A SOC 2 Type II report attests to a company’s security rules (“controls”) over a period of time (typically 3-12 months). A Type II report demonstrates that a company has established the required security procedures and has followed those procedures over time.
For example, a Type II report is like an auditor saying, “I checked the company’s security controls many times between September 30 and March 30, and everything looked reasonable.” This type of systems review results in an audit that yields a stronger and more trustworthy report.
There are two types of SOC 2 reports:
Obtaining a Type I report is faster, while a Type II report is more detailed and trusted. Customers and prospects generally prefer—and sometimes even require—a SOC 2 Type II report.