The term ‘SOC level 2’ is often a misnomer for SOC 2 Type II. In the world of SOC auditing, there are two ‘Types’ rather than levels. A Type I report describes a company’s systems and whether their controls are suitably designed to meet relevant trust principles at a specific point in time (a ‘snapshot’). A Type II report is much more rigorous; it involves an audit that spans a period of timeâusually six to twelve monthsâto prove that those controls are not just designed well, but are actually operating effectively in practice. When a client asks for a ‘level 2,’ they are typically looking for the Type II report, as it provides historical evidence that the company has consistently followed its security protocols over a long duration.
