SOC 2 Guide

SOC 2 Type 1 vs Type 2: Key Differences

By Johnathan Christopherson · AuditWolf · Updated 2026

A SOC 2 Type 1 report tests whether your controls are designed correctly at a single point in time, while a Type 2 report tests whether those same controls actually operated effectively over a period, usually 3 to 12 months. That distinction decides everything downstream: Type 1 is a snapshot of intent, Type 2 is evidence of behavior. Most enterprise buyers and their vendor risk teams want the Type 2, because a well-designed control that no one follows protects no one. This guide breaks down the real differences, the cost and timing trade-offs, when starting with a Type 1 makes sense, and how bridge letters cover the gap between your report date and today.

What does a SOC 2 Type 1 report actually test?

A Type 1 report is the assessor's opinion on whether your controls are suitably designed to meet the relevant Trust Services Criteria as of a specific date. Think of it as an architecture review: the assessor confirms that a control exists, is documented, and would achieve its objective if it operated as described. They inspect the design, not a track record.

Take CC6.1 (logical access). A Type 1 assessor confirms you have a policy requiring MFA and least privilege, that your identity provider is configured to enforce MFA, and that your access model maps roles to permissions. They verify the control is in place on the as-of date. What they do not do is pull a sample of the last two quarters of access grants to prove the control was enforced every time. That proof is a Type 2 exercise.

What does a SOC 2 Type 2 report add?

A Type 2 report covers everything in a Type 1, then goes further: the assessor tests operating effectiveness across a defined observation period, commonly 3, 6, or 12 months. Instead of confirming a control exists, they sample instances over the window to prove it ran as intended each time it was supposed to.

This is where sampling drives the work. For quarterly access reviews, the assessor pulls the actual review records for each quarter in scope and checks they were completed and remediated. For joiner/mover/leaver, they sample employees who onboarded, changed roles, or left, and trace each one: was access provisioned on the right day, adjusted on a role change, and fully revoked at termination? Under CC7.4 (responding to identified security incidents), they test whether logged security events were triaged and handled per your process. A single leaver whose GitHub access lingered for 40 days becomes an exception in the report, visible to every buyer who reads it.

Which report do buyers actually want?

In almost every enterprise procurement and vendor risk review, the answer is Type 2. A security team evaluating you as a subprocessor wants evidence that your controls held up over time, not a promise that they were configured correctly on one convenient afternoon. A Type 1 rarely clears a mature vendor risk questionnaire on its own.

The practical exception is timing. A prospect who needs assurance now, before your first Type 2 window has closed, may accept a current Type 1 as an interim signal, on the condition that a Type 2 is on the roadmap. Sales teams use this to unblock deals while the observation period runs. Treat it as a bridge, not a destination.

How much more do cost and time differ?

Type 1 is faster and cheaper because there is no observation window to sit through. Once your controls are designed and in place, an assessor can complete a Type 1 in a matter of weeks. Type 2 adds the calendar itself as the main cost: you cannot compress a 6-month observation period, and evidence must accrue across it.

The dominant expense in a Type 2 is not the assessor's fee, it is the operational discipline of running controls cleanly for months and collecting evidence continuously. A missed quarterly access review, or a change deployed without an approval ticket, becomes an exception you cannot retroactively fix. Most teams starting from scratch should plan several weeks of readiness work, then a 3-month minimum window for a first Type 2, with 6 or 12 months being common for renewals.

When does starting with a Type 1 make sense?

Start with a Type 1 when you need proof of a credible control environment before a Type 2 window can realistically close, and a deal or funding milestone depends on it. It forces you to formalize policies, stand up MFA and least privilege, and document your joiner/mover/leaver process, which is exactly the groundwork a Type 2 requires anyway. The Type 1 becomes a dry run that de-risks the longer engagement.

Skip the Type 1 when you are not under time pressure. If no buyer is demanding assurance this quarter, spend the money going straight to Type 2, because that is the report you will ultimately need. Paying for both is only worth it when the interim Type 1 directly unlocks revenue or shortens a sales cycle.

What is a bridge letter and why do you need one?

A bridge letter (also called a gap letter) covers the period between the end of your Type 2 report and the date a buyer is evaluating you. A SOC 2 report is historical: a report ending March 31 says nothing about April through, say, an August review. The bridge letter, written by your management, attests that no material changes to your control environment have occurred in that gap and that controls continue to operate as described.

One limit matters: a bridge letter is your assertion, not the assessor's opinion. It carries less weight than the report itself and should cover only a short gap, typically no more than three months. If the gap stretches past a quarter, buyers will rightly ask for your next Type 2 rather than another bridge letter. Keep report periods contiguous and you minimize how often you lean on bridges at all.

Skip the blank page

Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.

Get the SOC 2 Policy Pack — $149

FAQ

Is a SOC 2 Type 1 worth getting if buyers want Type 2?

Yes, but usually only as an interim step. A Type 1 is worth it when an urgent buyer or funding milestone needs assurance before your first Type 2 observation window can close. It also forces you to formalize policies, MFA, least privilege, and your joiner/mover/leaver process, which is the exact groundwork Type 2 requires. If no one is demanding assurance right now, skip it and go straight to Type 2 to avoid paying for two engagements.

How long does a SOC 2 Type 2 observation period have to be?

There is no fixed rule, but the practical minimum for a first report is about 3 months, and 6 or 12 months is common, especially for renewals. The period must be long enough for the assessor to sample controls operating over time, so you cannot compress it. Most teams run a first 3-month window to get a report to market, then move to a 12-month cycle aligned to the prior report's end date to keep coverage continuous.

How long is a SOC 2 bridge letter valid?

A bridge letter should cover only a short gap between your report's end date and the current review, typically no more than three months. Because it is a management self-attestation rather than the assessor's opinion, it carries less weight than the report itself. If the gap exceeds a quarter, buyers will generally expect your next Type 2 report instead of another bridge letter.

SOC 2 Type 1 proves your controls are designed correctly at a point in time; Type 2 proves they operated effectively over a 3-12 month period via sampling. Enterprise buyers almost always want Type 2, so start there unless an urgent deal forces an interim Type 1, and use bridge letters only to cover short gaps between reports.