SOC 2 comes in two report types. A Type I reports whether your controls are suitably designed at a single point in time. A Type II reports whether they operated effectively over a period, commonly three to twelve months. Type II is the one most customers actually ask for.
A Type I report is the one most teams reach for first, and the one most enterprise buyers quietly set aside. It proves your controls existed on a single day. It says nothing about whether they were still working the day after. Both reports carry the same name and the same Trust Services Criteria. What separates them is what the auditor is allowed to test.
What is the difference between Type I and Type II?
Both are SOC 2 reports written by an independent licensed CPA firm under the AICPA attestation standards (SSAE 18, AT-C section 205), against the same Trust Services Criteria. The difference is the question the auditor answers. A Type I tests whether your controls are suitably designed as at a single date. A Type II tests whether those controls operated effectively across a whole period. The auditor samples evidence from across the window, not from one snapshot, so a control configured the night before the audit will not survive a Type II.
| Type I | Type II | |
|---|---|---|
| What it tests | Control design at a point in time | Operating effectiveness over a period |
| Period covered | A single date | Commonly 3 to 12 months |
| Evidence | Controls in place on the date | Samples across the whole window |
| The opinion | Suitably designed as at the date | Designed and operating effectively over the period |
| What it proves | The control exists | The control holds up over time |
| Who asks for it | Rarely enough on its own | What most customers want |
Which report do customers actually accept?
Most enterprise and United States buyers ask for a Type II. A Type I is usually treated as a milestone on the way there, not the destination. Vendor risk and procurement teams want evidence the controls held up over time, because a single clean day tells them little about the other 364. A Type I can unblock an early deal or satisfy a lighter contractual requirement, but the line in the security questionnaire is almost always “do you hold a current SOC 2 Type II”. A point in time snapshot rarely closes an enterprise deal. If your buyers sit in Europe or in Australian government tenders, the more common ask is the international standard, which we set side by side in SOC 2 vs ISO 27001.
How long does the Type II observation period need to be?
There is no single mandated length. The observation period is commonly three to twelve months. A first Type II often runs six to twelve months, and renewals usually cover a twelve month period so reports stay continuous. The auditor needs operating history to sample from, so the controls must be running before the window opens, not assembled for it. A shorter three month window gets you to a first report faster but covers less ground, which sharper buyers will notice. Most companies settle into an annual cycle once the first report is out. The wider SOC 2 guide walks through cost and timeline.
Should you start with Type I or go straight to Type II?
It depends on your deadline and how mature your controls already are. If a customer needs assurance now and your controls are young, a Type I first, then a Type II covering the following period, is a reasonable two step. If your controls already operate and you can wait for an observation window, going straight to Type II avoids paying for two reports. The judgement call sits with your timeline, not with the auditor. The one path that wastes money is buying a Type I out of habit when the customer was always going to require Type II. Cybernion runs SOC 2 readiness up to the audit, so the controls are operating before the observation window opens.
What is a bridge letter, and when do you need one?
A bridge letter, sometimes called a gap letter, covers the time between the end of your Type II period and the date a customer asks for the report. It is written by your organisation, not the auditor, and carries no audit opinion. If your report covers the year to 31 December and a prospect asks in February, the bridge letter states that no material changes to the control environment occurred in the gap. It is a stopgap, usually held to around three months, and it is not assurance. A bridge letter is a statement, not an audit. The durable fix is a rolling twelve month period so the next report lands before the last one ages.
It can be, if you need to show progress to a customer before a full Type II period has elapsed, or your controls are too new to evidence over time. Many companies treat it as a milestone, not the end goal.
Yes. If your controls already operate, you can run an observation period and issue a Type II without a prior Type I, which avoids paying for two reports.
Annually. Most companies run a rolling twelve month observation period so reports stay continuous, using a bridge letter to cover any short gap before the next report is issued.
No. SOC 2 is an attestation report and opinion written by a licensed CPA firm. There is no certificate and no pass mark, for either Type I or Type II.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), 2022
- AICPA, SOC 2 reporting guidance, accessed June 2026
- AICPA, Mapping the 2017 Trust Services Criteria to ISO/IEC 27001, 2022
Last updated: 21 June, 2026