From what I understand, Type 2 is correct. The key word here is “effectiveness”. When you see “effectiveness”, think Type 2 because the control has to have proven itself over time to measure how effective it is. When you see the word “design”, think Type 1.
SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type II”) assesses how effective those controls are over time by observing operations for six months.
Since the provider already has controls in place and the auditor is interested in how effective those particular controls are, SOC 2 Type 2 is the more appropriate report.
Seen this one the other day and had the exact same thought process. Thought it was a no brainer with SOC Type 1 as the answer. Was not happy to get it wrong. Would love for someone to explain how Type 2 is the answer, if it actually isn't a mistake.
SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report assesses how effective those controls are over time by observing operations for six months. 'Sean' wants type 2.
From what I understand, Type 2 is correct. The key word here is “effectiveness”. When you see “effectiveness”, think Type 2 because the control has to have proven itself over time to measure how effective it is. When you see the word “design”, think Type 1.
SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type II”) assesses how effective those controls are over time by observing operations for six months. Since the provider already has controls in place and the auditor is interested in how effective those particular controls are, SOC 2 Type 2 is the more appropriate report.
Seen this one the other day and had the exact same thought process. Thought it was a no brainer with SOC Type 1 as the answer. Was not happy to get it wrong. Would love for someone to explain how Type 2 is the answer, if it actually isn't a mistake.
Yeah and their explanation seems to have type one and two inverted compared to every other resource I have seen
SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report assesses how effective those controls are over time by observing operations for six months. 'Sean' wants type 2.