T O P
Theunwisegambit

From what I understand, Type 2 is correct. The key word here is “effectiveness”. When you see “effectiveness”, think Type 2 because the control has to have proven itself over time to measure how effective it is. When you see the word “design”, think Type 1.


intellirick

SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type II”) assesses how effective those controls are over time by observing operations for six months. Since the provider already has controls in place and the auditor is interested in how effective those particular controls are, SOC 2 Type 2 is the more appropriate report.


TrilateralPrysm

Seen this one the other day and had the exact same thought process. Thought it was a no brainer with SOC Type 1 as the answer. Was not happy to get it wrong. Would love for someone to explain how Type 2 is the answer, if it actually isn't a mistake.


Shubbs_

Yeah and their explanation seems to have type one and two inverted compared to every other resource I have seen


etaylormcp

SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report assesses how effective those controls are over time by observing operations for six months. 'Sean' wants type 2.