You’re on the United Kingdom website. Choose your country or region to see location-specific content
UK
US
Get a Demo
Free resources
/
SOC 2 Checklist

The Ultimate SOC 2 Checklist

A six-step checklist for SOC 2, from setting your scope and Trust Services Criteria to collecting the evidence an auditor signs off, whether you're going for Type 1 or Type 2.

SOC 2 is how a business proves it handles customer data the way it promises. A Type 1 report is a snapshot in time; a Type 2 report shows the same controls holding up across months of evidence. This checklist walks the six steps behind both, so you know what "in scope" means, what to put in place, and what an auditor will actually ask for.

What's inside:

  • Scope: clarify why you're doing SOC 2 and which Trust Services Criteria apply (Security, plus Availability, Confidentiality, Processing Integrity or Privacy)
  • Foundation: the policies, owners and team training a SOC 2 programme rests on
  • Internal audit: run a gap analysis to find the weak spots before your auditor does
  • Controls: access control, MFA, vendor management, logging and incident response, in practice
  • Documentation: the records, version control and full-period evidence a Type 2 report needs
  • Stay compliant: the reviews, risk assessments and continuous monitoring that keep the report clean year on year

By the end, you'll know which controls you can already evidence, where the gaps are, and what "audit-ready" looks like for SOC 2 specifically, and how to hold it across the whole reporting period.

Questions? We've
Got You Covered

Planning an audit? These will help.
For anything else, just ask.

What is SOC 2?

ISO/IEC 42001 is the international standard for AI management systems. It sets out how an organisation governs the way it develops, deploys and monitors AI — covering accountability, risk, impact assessment and lifecycle controls.

What's the difference between SOC 2 Type 1 and Type 2?

Compliance leads, CISOs and engineering managers preparing for a first ISO 42001 audit, or scoping what certification would involve before committing budget to it.

Who is this SOC 2 checklist for?

No. Both standards share the same management-system structure, so an existing ISMS speeds things up considerably — but ISO 42001 can be implemented and certified on its own.

How long does SOC 2 take?

It depends on how many AI systems are in scope and how mature your governance already is. Most teams plan a few months from gap assessment to audit; the checklist helps you map that work up front.

Is the checklist really free?

Yes. Enter a business email and the download unlocks straight away — no sales call attached.

Get A Demo