AuditOak
Start free
GRC · SOC 2 · ISO 27001 · GDPR · PCI-DSS

Multi-framework GRC
your team can defend.

Built for GRC teams in fintech, healthcare, RegTech, and B2B SaaS. Actionable controls, human-verified evidence, and cross-framework reuse across SOC 2, ISO 27001, GDPR, and PCI-DSS.

Get your free checklist →See how it works

FREE TO YOUR FIRST PERSONALIZED CHECKLIST · NO CARD

app.auditoak.com/frameworks/soc2
SOC 2 · SECURITY
Controls checklist
61%
34 / 56 verified
CC6.1Access control policy & quarterly reviewVerified
CC6.7Data-in-transit encryption (TLS)Verified
CC6.6Multi-factor authentication enforcedIn Progress
CC7.2Security event monitoringNot Started
TRUSTED BY GRC TEAMS IN FINTECH, HEALTH & SaaSNorthwindVelaQuantaBeaconLumen
SCOPE · CONFIRM · PROVE

The whole journey, one root system

From your first checklist to an auditor-ready evidence package, without the jargon or the busywork.

Scope

Answer a few questions and we trim 90+ generic controls down to the ones that actually apply to you.

Confirm

Verify a control once and we flag the matching controls in your other frameworks for you to confirm.

🛡

Prove

Every piece of evidence is versioned and audit-ready. Export a clean package when the auditor calls.

THE WEDGE

Every control, clearly defined

Most tools hand you a control ID and a wall of policy language. We tell you what it actually means, exactly how to satisfy it, and what good evidence looks like, so you're never guessing.

Clear control headings what the requirement means for your environment, not policy-speak.
Numbered action steps concrete things to do, in order.
Evidence examples know exactly what to upload before you start.
CC6.6SOC 2 · Common Criteria

Turn on multi-factor authentication

You need every employee to log in with a second factor, not just a password, on anything that touches customer data.

HOW TO SATISFY THIS
1Open your identity provider (Google, Okta, Entra) admin console.
2Turn on enforced MFA for all users, not just admins.
3Screenshot the enforced setting with the date visible, and upload it here.
WHAT GOOD EVIDENCE LOOKS LIKE
✓ A screenshot of your identity provider showing MFA enforced org-wide, with the date visible.
THE MOAT · CROSS-FRAMEWORK REUSE

Do it once. Count it everywhere.

Most controls overlap across frameworks. When you verify one, we flag the likely matches in your other frameworks, and ask you to confirm. We never mark them automatically. That's a trust boundary, not a shortcut.

~60%
of controls overlap
across frameworks
100%
human-confirmed,
never auto-passed
Verified · SOC 2 CC6.1Not started · ISO 27001 A.5.15
Access Control Policy & Review
Both require a documented access control policy with quarterly reviews. The evidence you uploaded for SOC 2 likely satisfies the ISO requirement too.
Confirm, satisfies bothNot quite
FOUR FRAMEWORKS, ONE TAXONOMY

Start with one. Add the rest cheaply.

SOC 2
~56 CONTROLS

Trust Services Criteria attestation for enterprise vendor assessments.

ISO 27001
93 CONTROLS

ISMS certification for global and regulated market entry.

GDPR
~28 CONTROLS

EU data protection obligations for organizations processing EEA personal data.

PCI-DSS
~34 CONTROLS

Payment card security standard for fintech and e-commerce environments.

PRICING

Free to start. Pay as you add frameworks.

Reach a personalized checklist for free. Add evidence, your team, and more frameworks when you're ready.

FREE
Scoping
Reach a personalized checklist, free forever.
$0/ month
Start free
Scoping questionnaire
One framework checklist
Actionable control guidance
Readiness score
Community support
MOST POPULAR
GROWTH
Team
Add evidence, your team, and the confirmation queue.
$99/ mo + frameworks
Start free trial
Everything in Scoping
Evidence library + versioning
Cross-framework confirmation queue
Unlimited team members
Add frameworks at $49 / mo each
Auditor workspace + scoped access
SCALE
Business
For teams running multiple audits at once.
Custom
Talk to us
Everything in Team
All four frameworks included
External auditor seats with expiry
SSO / SAML
Priority support + onboarding
Audit-ready export bundles

START FREE → ADD A FRAMEWORK WHEN YOU NEED IT → UPGRADE FOR UNLIMITED & AUDITOR ACCESS

COMMON QUESTIONS

The honest answers

Do you auto-verify controls with AI?

No. We surface likely matches across frameworks and explain why, but a human always confirms before anything is marked verified. That's a trust boundary we won't cross.

Is it really free to start?

Yes. You can run the scoping questionnaire and get a personalized, actionable checklist for one framework without a card. You pay when you add evidence storage, your team, or more frameworks.

How does cross-framework reuse work?

About 60% of controls overlap. When you verify one, we flag the matching controls in your other active frameworks and ask you to confirm, so work done once counts everywhere.

Can I give my auditor access?

Yes. You can invite an external auditor scoped to specific frameworks or controls, with an optional expiry date that auto-revokes access after the engagement.

What frameworks do you support?

SOC 2, ISO 27001:2022, GDPR, and PCI-DSS v4.0.1 today, all built on one master control taxonomy so they share evidence cleanly.

See your readiness in 5 minutes

Answer a few questions and get a personalized, actionable checklist, free, no card.

Get your free checklist →