Menu
SOC 2 Type 1
Bottom line
SOC 2 Type 1 is an AICPA attestation, not a certification. A licensed CPA firm issues the report after evaluating whether security controls are suitably designed at a single point in time. Typical cost: $7.5Kβ$30K over 3β6 months.
One of 10 compliance framework explainers we maintain.
Key facts
- Controls
- 5 Trust Services Criteria categories (Security required; Availability, Confidentiality, Processing Integrity, Privacy optional). 9 Common Criteria with 64+ points of focus.
- Recertification cycle
- Annual refresh (point-in-time report)
- Common gap categories
- Access management (CC6); Change management (CC8); Risk assessment (CC3); Vendor management (CC9)
- Related standards
- SOC 2 Type 2SOC 3ISO 27001HIPAA Security Rule
What is SOC 2 Type 1?
An attestation report governed by the AICPA, using the 2017 Trust Services Criteria (revised 2022), that evaluates whether a service organization's security controls are suitably designed at a single point in time.
Is SOC 2 Type 1 a certification or an attestation?
SOC 2 Type 1 is an attestation, not a certification. The report is issued by an independent CPA firm licensed by the AICPA. There is no SOC 2 certification body, no certificate document, and no public registry to look up.
Who needs SOC 2 Type 1?
B2B SaaS companies facing early enterprise procurement scrutiny who need fast proof of security posture before a Type 2 report (which requires an observation period) is feasible.
What does SOC 2 Type 1 cost and how long does it take?
Range
$7.5Kβ$30K / 3β6 months
Auditor fees of $7.5Kβ$30K covering 1β3 months of preparation plus 2β5 weeks of fieldwork.
One thing to watch
Type 1 is widely treated as a stepping stone. Most enterprise buyers will follow up within 12 months asking for Type 2.
Sources
Last verified 2026-05-13. Found a stale or wrong source? Email hello@soc2auditors.org.