While we recommend a Type 1 prior to Type 2, we've conceded straight to Type 2 is a growing preference. Our focus has shifted to how we can enable it!
We’ve been determined to lead our clients down the path of SOC 2 Type 1 prior to SOC 2 Type 2. Whether it's a SOC 1, SOC 2, or ASAE 3150 report, there are Type 1 and Type 2 reports that can be issued. The Type 1 is a snapshot in time to prove compliance, while the Type 2 covers a period of continuous compliance. There’s six reasons why we believe a Type 1 first is best!
Read more in Six Reasons to do Type 1 First.
We’ve conceded that there's a growing preference to go directly to Type 2. Instead of resisting it, we’ve shifted our focus to enabling it by ensuring it’s set up for success.
We initially only offered it for select clients that had completed ISO 27001, or conducted other audits that would ensure they were well prepared. We take our role seriously and believe it’s our duty of care to lead clients down the right path, without surprises!
Recognising the shifting preference for straight to Type 2, we’ve updated our client practice guides, communications and approach, to help our clients navigate this path if they choose to do so.
There are three main drivers we see for clients preferring to skip the Type 1 and go straight to Type 2:
The past achievement of ISO 27001 - It’s widely known that being certified to ISO 27001 requires over 80% of what’s required to achieve SOC 2 as well. There's duplication to do a Type 1 report, after already validating the design effectiveness of your information security management system (ISMS). In this case we are more comfortable recommending the straight to Type 2 report approach.
Enterprise customers specifically request Type 2 - The contractual requirement or request raised by enterprise customers often specifies the requirement for a SOC 2 Type 2 report. The Type 1 can be a stepping stone to this requirement. It demonstrates to your customer that you’re on track to achieve the Type 2 with an earlier report confirming compliance by design. Often this Type 1 is sufficient to “open doors” with new customers and "buy time" to satisfy them in the meantime before a Type 2 is issued.
The American influence - In the leading US market, SOC 2 has become ubiquitous, especially in the enterprise software industry. It seems like every chartered accountant has set up their own practice to take advantage of that market opportunity. It’s a highly competitive market for SOC 2 reports, and the option of going “straight to Type 2” is an appealing proposition in sales conversations. It resonates with client leads as a way to “skip” a step or "fast track" compliance. It's presented in a way that appears to reduces the overall costs. We explain why this often isn’t the case within our post; six reasons to do Type 1 first. In short, the industry standard is to issue recurring Type 2 reports every 12 months. By doing a Type 1 report in the first year (which is lower cost than Type 2), it can actually reduce the overall costs by the first year being lower.
What do you “skip” without doing Type 1?
The risk of skipping Type 1 is that the first formal audit process on your controls is performed during a live observation period. If issues are identified at that point, there's limited flexibilty to avoid those being disclosed in your final SOC 2 report that customers see.
If you’ve completed an ISO 27001 certification before, you should have most of the controls and audit evidence required to satisfy the Type 2 audit. However, some areas of SOC 2 aren’t covered by ISO 27001. There's areas that look for different types of audit evidence based on its focus on the “operational effectiveness” of your controls (more focused on system settings and live operating practices), rather than just the design focus of ISO 27001 (more focused on policies and procedures).
How to set up for success in a straight to Type 2 approach?
There’s a few ways we set you up for success in your Type 2; whether you go straight to Type 2 or via a Type 1. It’s important to recognise; we can give you tips, guidance and support throughout the live period leading up to the audit, but your team remains wholly responsible for the outcomes and ensuring it’s set up for success.
Readiness Assessment - Our free readiness software identifies and maps your controls to the SOC 2 criteria, with the associated audit evidence we expect to see, and the frequency or trigger for when we expect to see the control applied. This provides a complete picture of what's required to verify your compliance in the Type 1 or Type 2.
“Kick the tyres” review - When we go direct to Type 2, we perform a review workshop to “kick the tyres” on areas that may be more prone to failure. For example, if you’re relying on your ISO 27001 work to pass your SOC 2 Type 2, we would look at areas not covered by ISO 27001 and where the evidence requirements vary in SOC 2. We sense check the areas more prone to failure and check your team are clear on what's required to maintain your SOC 2 controls.
Project launch at the start of the period - We launch the audit project at the start of the period, populating all the audit requests so that you have a complete view of what’s required. We encourage you to upload the first control samples when they first occur in the live audit period, so we can do a real-time audit and feedback if there's any gaps in evidence or what's expected of the controls.
Our email series - Our automated email series is designed to drip-feed tips and reminders through the live period. It's framed around the areas of SOC 2 that are most prone to failure; like quarterly review controls that can be "missed", or event-driven controls that don't occur very often.
We still encourage most clients to pursue SOC 2 Type 1 first; however, if you do find straight to Type 2 is more aligned to your goals, we're now more confident than ever in guiding you down that path and setting up for a successful audit!