Skill de IARun Audit PrepLegal
When SOC 2 audit is 6 months out and your enterprise pipeline depends on the report, walk every TSC control with infrastructure evidence ready. — Claude Skill
Walk SOC 2 Trust Services Criteria controls with audit-ready evidence.
- Covers Type I and Type II: design plus operating effectiveness over 3-12 month observation periods
- Every TSC category mapped: CC1-CC9 (common criteria), A1 (availability), PI1 (processing integrity), C1 (confidentiality), P1 (privacy)
- Infrastructure validation: cloud (AWS, GCP, Azure), DNS, TLS, endpoints, CI/CD pipelines
- Audit evidence collection per control: logs, tickets, screenshots, policy docs
- Output: gap analysis report plus remediation plan plus auditor-ready evidence index
Para quién es
Qué hace
Enterprise customer asked for SOC 2 last quarter
You promised the deal team a Type I report by Q4. A 30-minute gap analysis surfaces the 12 controls that aren't designed yet, the 8 that need policy docs, and the 4 that need infrastructure changes, with remediation timelines.
Type II observation period starts next month
You just finished Type I. The 6-month observation window starts Monday. Walk through which evidence streams need automation (logs, access reviews, change tickets) before the auditor returns, what's still manual, and where the gaps will surface.
CI/CD pipeline doesn't show change-control evidence
CC8 controls (change management) are weak. Walk the GitHub plus deploy pipeline. Surface where to add code-review enforcement, auto-attach Jira ticket numbers to commits, and required CODEOWNERS file structure.
TLS and certificate hygiene for CC6
Logical and physical access controls (CC6.6, CC6.7) require crypto controls. Audit your DNS, TLS configs, certificate expiry tracking, and encryption-at-rest evidence to get the table the auditor expects in the evidence packet.
Cómo funciona
1
Start with a readiness assessment: which TSC categories are in scope (most SaaS does CC1-CC9 plus A1).
2
Map your current controls per criterion. Skill walks each criterion with concrete questions.
3
Surface gaps: controls not yet designed, designed-but-not-operating, operating-but-no-evidence.
4
For each gap: remediation steps, infrastructure validation pattern (cloud, DNS, TLS, endpoints, CI/CD), and target evidence.
5
Output: gap report plus remediation plan ranked by audit risk plus per-criterion evidence index ready for the auditor.
Ejemplo
Audit scope
SaaS PM tool, 280 engineers, hosted on AWS multi-region. Type II audit starts in 4 months. Type I report from 2025. ISMS in place but evidence collection is manual.
30 minutes later
Readiness summary
CC1-CC5 (common criteria): 23/27 controls designed, 4 need policy refresh. CC6-CC9: 21 controls — strong on access controls, weak on change-management evidence (CC8.1-CC8.3). A1 (availability): 5 controls — DR runbooks exist but DR exercise log is missing for 2024.
Top 5 audit-risk gaps
1. CC8.1 — no GitHub PR review enforcement on infrastructure-as-code repo. 2. CC7.4 — vulnerability scan schedule is documented but evidence log not centralised. 3. CC6.8 — no automated user-access review every 90 days. 4. A1.2 — DR exercise from 2024 missing post-mortem doc. 5. PI1.4 — data-validation logic not documented per processing point.
Remediation timeline
Month 1: policy and process docs for CC8 and CC7.4. Month 2: automate CC6.8 access reviews via Okta plus role exports. Month 3: run DR exercise plus write post-mortem. Month 4: dry-run audit walkthrough with all evidence in one drive.
Auditor-ready evidence index
Each criterion maps to a folder: /soc2-evidence/CC8.1/, /CC6.8/, etc. Each folder has README.md describing the control, the evidence files, and a change log.
Métricas que mejora
Compliance Gap Coverage
Surfaces every gap against TSC categories with remediation steps before the auditor finds them
LegalStrategic vs Reactive Work
Front-loads control work — moves the team from scramble-mode in audit week to scheduled prep months ahead
LegalVendor Risk Visibility
Vendor inventory with last-review dates plus SOC 2 status of each subprocessor
LegalFunciona con
Google Sheets
manualControl matrix and gap-tracking spreadsheet, exportable to the auditor
Jira
manualSource of change-management tickets (CC8) and vulnerability tickets (CC7.4)
DocuSign CLM
manualSubprocessor agreements and policy attestations for CC9 vendor management
Notion
manualPolicy and process documentation; per-criterion evidence index lives in a Notion database
¿Quieres usar SOC 2 Compliance Expert?
Elige cómo empezar.
Ejecutar en Claude Code
Gratis. Código abierto.
Instala y ejecuta este skill localmente en tu computadora.
1
Instalar Claude Code
Abre una terminal en tu computadora y pega este comando:
2
Instalar el skill
Esto descarga el skill con todos sus archivos en tu computadora:
Añade -g al final para tenerlo disponible en todos tus proyectos.
3
Ver código en GitHub Ejecútalo
Inicia Claude Code, luego escribe el comando:
luego
SOC 2 Compliance Expert
SOC 2 Type I and Type II compliance management covering all Trust Services Criteria (TSC), infrastructure security validation, evidence collection, and end-to-end audit preparation.
SOC 2 Overview
Type I vs Type II
| Aspect | Type I | Type II |
|---|---|---|
| Scope | Design of controls at a point in time | Design AND operating effectiveness over a period |
| Duration | Single date (snapshot) | Observation period (3-12 months, typically 6-12) |
| Cost | $20K-$60K (first audit) | $40K-$150K (first audit) |
| Timeline | 1-3 months | 6-15 months (includes observation period) |
| Customer Preference | Early-stage acceptable | Enterprise customers require |
Start with Type I to validate control design, then transition to Type II within 6 months.
Trust Services Criteria Summary
| Category | Focus | Controls |
|---|---|---|
| CC1-CC5 | Common Criteria (COSO-based) | Control environment, communication, risk, monitoring, control activities |
| CC6 | Logical and Physical Access | Authentication, authorization, physical security, encryption |
| CC7 | System Operations | Vulnerability management, monitoring, incident response, BCP |
| CC8 | Change Management | Authorization, testing, deployment controls |
| CC9 | Risk Mitigation | Vendor management, business disruption, risk transfer |
| A1 | Availability | Capacity planning, DR, recovery testing |
| PI1 | Processing Integrity | Data validation, error handling, reconciliation |
| C1 | Confidentiality | Classification, encryption, disposal |
| P1 | Privacy | Notice, consent, data subject rights, retention |
For detailed control requirements per category, see REFERENCE.md.
Readiness Assessment Workflow
The agent guides organizations through SOC 2 readiness from gap analysis through audit completion.
Workflow: Phase 1 -- Gap Analysis (Weeks 1-4)
- Define scope -- determine which TSC categories to include (Security is mandatory), define system boundaries, identify subservice organizations (carve-out vs. inclusive), document principal service commitments.
- Assess current state -- inventory existing policies and procedures, map current controls to TSC requirements, interview process owners and control operators.
- Run automated gap analysis using
scripts/soc2_readiness_checker.py. - Document gaps -- missing controls, controls lacking evidence, controls not operating effectively.
- Prioritize gaps by risk level and remediation effort.
- Validation checkpoint: Gap analysis covers all in-scope TSC categories; each gap has severity rating and remediation owner assigned.
Workflow: Phase 2 -- Remediation (Weeks 5-16)
- Develop/update policies -- information security policy, supporting procedures per control domain, policy review and approval workflows.
- Implement technical controls -- configure IdP with SSO/MFA enforcement, deploy endpoint security (MDM, EDR, disk encryption), implement SIEM logging and monitoring, configure backup and DR, harden cloud infrastructure.
- Establish processes -- access review procedures, change management workflow, incident response procedures, vendor management program, security awareness training.
- Set up evidence collection -- configure automated collection, establish repository structure, define refresh cadence per TSC category.
- Validation checkpoint: All identified gaps remediated; technical controls verified via
scripts/soc2_infrastructure_auditor.py; evidence collection producing artifacts.
Workflow: Phase 3 -- Pre-Audit (Weeks 17-20)
- Conduct internal readiness assessment -- mock audit against all in-scope TSC, validate evidence completeness and quality, run infrastructure auditor for technical validation.
- Remediate pre-audit findings -- address remaining gaps, strengthen evidence.
- Select and engage CPA firm -- negotiate scope, timeline, fees; schedule kickoff; prepare system description draft.
- Validation checkpoint: Mock audit passes with no critical gaps; system description reviewed; auditor engaged.
Workflow: Phase 4 -- Audit Execution
- Type I audit (if applicable) -- auditor reviews control design; management provides assertions; address findings before Type II.
- Type II observation period (3-12 months) -- controls operate consistently, evidence collected continuously, quarterly self-assessments, regular auditor check-ins.
- Fieldwork (2-4 weeks) -- auditor selects samples, tests controls, interviews personnel; draft report review; final report issuance.
- Validation checkpoint: Clean opinion received; any findings have management response and remediation plan.
Evidence Collection Framework
Evidence by TSC Category
| TSC | Evidence Type | Collection Method | Refresh |
|---|---|---|---|
| CC1 | Code of conduct acknowledgments | HR system export | Annual |
| CC2 | Security awareness training records | LMS export | Ongoing |
| CC3 | Risk assessment report, risk register | GRC platform | Annual/Quarterly |
| CC4 | Penetration test reports, vulnerability scans | Third-party/scanner | Annual/Monthly |
| CC5 | Policy documents with version history | Policy management | Annual review |
| CC6 | Access reviews, MFA enrollment, offboarding | IAM/IdP/HRIS | Quarterly/Per event |
| CC7 | Vulnerability remediation, incident records | Ticketing/ITSM | Ongoing |
| CC8 | Change tickets with approvals, code reviews | ITSM/Git | Per change |
| CC9 | Vendor risk assessments, vendor SOC 2 reports | GRC platform | Annual |
| A1 | Uptime reports, DR tests, backup logs | Monitoring/backup | Monthly/Semi-annual |
| PI1 | Data validation/reconciliation reports | Application logs | Per process |
| C1 | Data classification inventory, encryption configs | Manual/automated | Annual/Quarterly |
| P1 | PIAs, DSR response tracking | Privacy tool | Per event |
Example: Evidence Collection Command
# Generate evidence checklist for all TSC categories
python scripts/evidence_collector.py --generate-checklist --categories all
# Track evidence status
python scripts/evidence_collector.py --status evidence-tracker.json
# Update specific evidence item
python scripts/evidence_collector.py --update evidence-tracker.json \
--item CC6.1-MFA --status collected
# Generate readiness dashboard
python scripts/evidence_collector.py --dashboard evidence-tracker.json
# Export for auditor review
python scripts/evidence_collector.py --export evidence-tracker.json --format json
Automation Strategies
GRC Platforms: Vanta, Drata, Secureframe, Laika, AuditBoard -- automated evidence collection via API integrations, continuous control monitoring, auditor collaboration portals.
Infrastructure-as-Evidence: Cloud configuration snapshots (AWS Config, Azure Policy, GCP Org Policies), Terraform state as configuration evidence, Git history as change management evidence, CI/CD pipeline logs as deployment control evidence.
Infrastructure Security Validation
The agent validates infrastructure configurations against SOC 2 requirements.
Quick Reference: Infrastructure Checks
| Domain | Key Checks | SOC 2 Mapping |
|---|---|---|
| Cloud (AWS/Azure/GCP) | Encryption, IAM, logging, network, backup, secrets | CC6, CC7, A1, C1 |
| DNS | SPF, DKIM, DMARC, DNSSEC, CAA | CC6.6, CC2.2 |
| TLS/SSL | TLS 1.2+, AEAD ciphers, HSTS, auto-renewal | CC6.7 |
| Endpoint | MDM, disk encryption, EDR, patching, screen lock | CC6.1, CC6.8, CC7.1 |
| Network | Segmentation, WAF, DDoS, VPN/ZTNA, egress filtering | CC6.6, A1.1 |
| Container | Image scanning, minimal base, no privileged, RBAC | CC6.1, CC7.1 |
| CI/CD | Signed commits, branch protection, SAST/DAST, SBOM | CC7.1, CC8.1 |
| Secrets | Vault storage, rotation policies, git scanning | CC6.1 |
For detailed per-provider control mappings, see REFERENCE.md.
Example: Infrastructure Audit Command
# Full infrastructure audit
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
# Audit specific domains only
python scripts/soc2_infrastructure_auditor.py --config infra-config.json \
--domains dns tls cloud
# JSON output with severity ratings
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
# Generate sample configuration template
python scripts/soc2_infrastructure_auditor.py --generate-template
Audit Timeline
Typical Timeline (First SOC 2)
| Phase | Duration | Activities |
|---|---|---|
| Scoping | 2-4 weeks | Define TSC, system boundaries, auditor selection |
| Gap Analysis | 2-4 weeks | Assess current controls, identify gaps |
| Remediation | 8-16 weeks | Implement missing controls, policies, procedures |
| Type I Audit | 2-4 weeks | Point-in-time control design assessment |
| Type II Observation | 3-12 months | Controls operate, evidence collected continuously |
| Type II Fieldwork | 2-4 weeks | Auditor testing, evidence review, interviews |
| Report Issuance | 2-4 weeks | Draft review, management response, final report |
Annual Renewal
- Begin renewal planning 3 months before observation period ends
- Maintain continuous compliance between audit periods
- Address prior-year findings before new observation period
- Bridge letters available for gaps between reports
Incident Response Requirements
IRP Structure
- Preparation -- IR team defined, communication channels established, runbooks for common incidents, legal/PR contacts on retainer.
- Detection and Analysis -- monitoring/alerting coverage, severity classification (SEV1-SEV4), triage procedures, escalation matrix.
- Containment, Eradication, Recovery -- isolate affected systems, preserve evidence, identify root cause, restore and validate.
- Post-Incident -- blameless post-mortem within 5 business days, lessons learned, control improvements, notification assessment (MTTD, MTTR, MTTC tracking).
For severity level definitions and breach notification timelines, see REFERENCE.md.
Tools
SOC 2 Readiness Checker
# Full readiness assessment
python scripts/soc2_readiness_checker.py --config org-controls.json
# JSON output for programmatic use
python scripts/soc2_readiness_checker.py --config org-controls.json --format json
# Check specific TSC categories
python scripts/soc2_readiness_checker.py --config org-controls.json \
--categories security availability
# Include cloud provider control mapping
python scripts/soc2_readiness_checker.py --config org-controls.json --cloud-mapping
Evidence Collector
# Generate checklist and track status
python scripts/evidence_collector.py --generate-checklist --categories all
python scripts/evidence_collector.py --status evidence-tracker.json
python scripts/evidence_collector.py --dashboard evidence-tracker.json
Infrastructure Auditor
# Validate infrastructure against SOC 2 requirements
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
References
| Document | Description |
|---|---|
| REFERENCE.md | Detailed TSC controls, infrastructure checks, access control specs, vendor management, training, IRP, BC/DR |
| Trust Services Criteria Guide | Complete TSC reference with control objectives and audit questions |
| Infrastructure Security Controls | Cloud, DNS, TLS, endpoint, container, CI/CD security configurations |
| Audit Preparation Playbook | End-to-end audit prep guide with timelines, checklists, cost estimation |
Troubleshooting
| Problem | Likely Cause | Resolution |
|---|---|---|
| Readiness checker scores are 0% across all categories | Controls JSON missing config_key values or all set to false | Verify the input JSON maps each TSC control to a boolean value under the correct config_key. Run --generate-sample > sample-config.json to see the expected structure. |
| Infrastructure auditor reports all checks as "fail" | Infrastructure config JSON is empty or uses wrong key names | Run --generate-template to produce a valid template. Populate DNS, TLS, cloud, endpoint, and other sections with actual infrastructure state. |
| Evidence collector checklist missing categories | --categories flag filtering output | Use --categories all to generate the complete checklist. Available categories: security, availability, processing_integrity, confidentiality, privacy. |
| Evidence tracker status not updating | Tracker file path incorrect or file not writable | Verify the path passed to --status or --update points to an existing tracker JSON file. Check file permissions. |
| Cloud mapping not appearing in readiness report | --cloud-mapping flag not included | Add --cloud-mapping to the readiness checker command to include AWS/Azure/GCP control mappings in the output. |
| Type II observation period too short for auditor | Observation period is less than 3 months | Most CPA firms require a minimum 3-month observation period for Type II. A 6-12 month period carries more weight. Plan the observation window during the scoping phase. |
| Auditor requests evidence not in the tracker | Evidence catalog does not cover all TSC subcriteria for the selected scope | Supplement the auto-generated checklist with auditor-specific evidence requests. Each CPA firm may have additional requirements beyond the standard TSC evidence items. |
Success Criteria
- SOC 2 scope defined with all applicable TSC categories selected, system boundaries documented, and subservice organizations identified (carve-out vs inclusive)
- Gap analysis completed with every identified gap assigned a severity rating, remediation owner, and target completion date
- Readiness score of 80%+ across all in-scope TSC categories before engaging the CPA firm, trending to 95%+ before Type II fieldwork
- Evidence collection framework operational with centralized repository, defined refresh cadence per TSC category, and automated collection where possible
- Infrastructure audit passes with no critical or high-severity findings in DNS, TLS, cloud, endpoint, or access control domains
- Type II observation period of at least 6 months with continuous control operation, quarterly self-assessments, and no significant control failures
- Clean SOC 2 Type II opinion received with any findings addressed by management response and documented remediation plans
Scope & Limitations
In Scope:
- SOC 2 Type I and Type II readiness assessment against all TSC categories (CC1-CC9, A1, PI1, C1, P1)
- Infrastructure security validation (DNS, TLS, cloud, endpoint, network, container, CI/CD, secrets)
- Evidence collection framework generation and tracking
- Gap analysis with severity-rated findings and remediation guidance
- Audit timeline planning and CPA firm engagement preparation
- Incident response plan structure and requirements
- Continuous compliance program design
Out of Scope:
- CPA firm audit execution (the tools prepare for audit; the actual Type I/II report requires an independent CPA firm)
- SOC 1 (ICFR) assessment (SOC 1 covers financial reporting controls, not security/availability/privacy)
- SOC 3 report generation (SOC 3 is a public-facing summary derived from SOC 2; it requires a completed SOC 2 audit)
- Penetration testing execution (use infrastructure-compliance-auditor or engage a third-party pentest firm)
- GRC platform selection or implementation (the skill is compatible with Vanta, Drata, Secureframe, etc., but does not implement them)
- Legal advice on customer contractual requirements for SOC 2 reports
- Physical security assessments (the infrastructure auditor covers logical controls; physical data center audits require on-site assessment)
Integration Points
| Skill | Integration |
|---|---|
| infrastructure-compliance-auditor | Provides Vanta-level infrastructure checks across cloud, DNS, TLS, endpoints, access controls, and CI/CD that map directly to SOC 2 TSC requirements |
| nist-csf-specialist | NIST CSF functions map to SOC 2 TSC categories; use the control mapper to build unified control matrices for organizations pursuing both |
| information-security-manager-iso27001 | ISO 27001 Annex A controls provide a management system backbone that satisfies many SOC 2 requirements; shared evidence reduces audit burden |
| pci-dss-specialist | PCI DSS requirements overlap with SOC 2 CC6 (access), CC7 (operations), CC8 (change management); shared controls for payment-processing organizations |
| gdpr-dsgvo-expert | GDPR requirements align with SOC 2 Privacy (P1) criteria; organizations processing EU personal data can leverage shared privacy controls |
| nis2-directive-specialist | NIS2 minimum security measures overlap with SOC 2 security criteria; EU entities can map shared incident response, access control, and encryption controls |
Tool Reference
soc2_readiness_checker.py
Evaluates organizational controls against SOC 2 Trust Services Criteria with per-category scoring.
| Flag | Required | Description |
|---|---|---|
--config | Yes (or --generate-sample) | Path to organization controls JSON file with boolean values for each TSC control |
--format | No | Output format: json for structured output, omit for human-readable text |
--categories | No | Space-separated TSC categories to assess (e.g., security availability). Omit for all. |
--cloud-mapping | No | Include cloud provider (AWS/Azure/GCP) control mappings in the output |
--generate-sample | No | Generate a sample controls JSON template (pipe to file with > sample-config.json) |
evidence_collector.py
Generates evidence collection checklists and tracks evidence gathering status.
| Flag | Required | Description |
|---|---|---|
--generate-checklist | No | Generate an evidence collection checklist for the specified categories |
--categories | No | Space-separated TSC categories: security, availability, processing_integrity, confidentiality, privacy, or all |
--status | No | Path to evidence tracker JSON file to display collection status |
--update | No | Path to evidence tracker JSON file to update (use with --item and --status) |
--item | No | Evidence item identifier to update (e.g., CC6.1-MFA) |
--dashboard | No | Path to evidence tracker JSON file to generate a readiness dashboard |
--export | No | Path to evidence tracker JSON file to export |
--format | No | Export format: json for structured output |
soc2_infrastructure_auditor.py
Audits infrastructure configurations against SOC 2 requirements with severity-rated findings.
| Flag | Required | Description |
|---|---|---|
--config | Yes (or --generate-template) | Path to infrastructure configuration JSON file with DNS, TLS, cloud, endpoint, and other domain settings |
--format | No | Output format: json for structured findings with severity ratings, omit for human-readable text |
--domains | No | Space-separated infrastructure domains to audit (e.g., dns tls cloud). Omit for all domains. |
--generate-template | No | Generate a sample infrastructure configuration template (pipe to file with > infra-config.json) |