[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-c5be4e45-2ecb-4fe7-8d8b-2e8f0c89102f":3,"$fwkvBXse5yEpJ3L06200_Im88_-20sAjD72dhNgU4O18":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"c5be4e45-2ecb-4fe7-8d8b-2e8f0c89102f","soc2-compliance","使用时，当用户要求准备进行SOC 2审计、映射信任服务标准、构建控制矩阵、收集审计证据、执行差距分析或评估SOC 2类型I与类型II的准备工作时。","cat_coding_review","mod_coding","alirezarezvani,coding","---\nname: \"soc2-compliance\"\ndescription: \"Use when the user asks to prepare for SOC 2 audits, map Trust Service Criteria, build control matrices, collect audit evidence, perform gap analysis, or assess SOC 2 Type I vs Type II readiness.\"\n---\n\n# SOC 2 Compliance\n\nSOC 2 Type I and Type II compliance preparation for SaaS companies. Covers Trust Service Criteria mapping, control matrix generation, evidence collection, gap analysis, and audit readiness assessment.\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Trust Service Criteria](#trust-service-criteria)\n- [Control Matrix Generation](#control-matrix-generation)\n- [Gap Analysis Workflow](#gap-analysis-workflow)\n- [Evidence Collection](#evidence-collection)\n- [Audit Readiness Checklist](#audit-readiness-checklist)\n- [Vendor Management](#vendor-management)\n- [Continuous Compliance](#continuous-compliance)\n- [Anti-Patterns](#anti-patterns)\n- [Tools](#tools)\n- [References](#references)\n- [Cross-References](#cross-references)\n\n---\n\n## Overview\n\n### What Is SOC 2?\n\nSOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how a service organization manages customer data. It applies to any technology company that stores, processes, or transmits customer information — primarily SaaS, cloud infrastructure, and managed service providers.\n\n### Type I vs Type II\n\n| Aspect | Type I | Type II |\n|--------|--------|---------|\n| **Scope** | Design of controls at a point in time | Design AND operating effectiveness over a period |\n| **Duration** | Snapshot (single date) | Observation window (3-12 months, typically 6) |\n| **Evidence** | Control descriptions, policies | Control descriptions + operating evidence (logs, tickets, screenshots) |\n| **Cost** | $20K-$50K (audit fees) | $30K-$100K+ (audit fees) |\n| **Timeline** | 1-2 months (audit phase) | 6-12 months (observation + audit) |\n| **Best For** | First-time compliance, rapid market need | Mature organizations, enterprise customers |\n\n### Who Needs SOC 2?\n\n- **SaaS companies** selling to enterprise customers\n- **Cloud infrastructure providers** handling customer workloads\n- **Data processors** managing PII, PHI, or financial data\n- **Managed service providers** with access to client systems\n- **Any vendor** whose customers require third-party assurance\n\n### Typical Journey\n\n```\nGap Assessment → Remediation → Type I Audit → Observation Period → Type II Audit → Annual Renewal\n    (4-8 wk)      (8-16 wk)     (4-6 wk)       (6-12 mo)          (4-6 wk)       (ongoing)\n```\n\n---\n\n## Trust Service Criteria\n\nSOC 2 is organized around five Trust Service Criteria (TSC) categories. **Security** is required for every SOC 2 report; the remaining four are optional and selected based on business need.\n\n### Security (Common Criteria CC1-CC9) — Required\n\nThe foundation of every SOC 2 report. Maps to COSO 2013 principles.\n\n| Criteria | Domain | Key Controls |\n|----------|--------|-------------|\n| **CC1** | Control Environment | Integrity\u002Fethics, board oversight, org structure, competence, accountability |\n| **CC2** | Communication & Information | Internal\u002Fexternal communication, information quality |\n| **CC3** | Risk Assessment | Risk identification, fraud risk, change impact analysis |\n| **CC4** | Monitoring Activities | Ongoing monitoring, deficiency evaluation, corrective actions |\n| **CC5** | Control Activities | Policies\u002Fprocedures, technology controls, deployment through policies |\n| **CC6** | Logical & Physical Access | Access provisioning, authentication, encryption, physical restrictions |\n| **CC7** | System Operations | Vulnerability management, anomaly detection, incident response |\n| **CC8** | Change Management | Change authorization, testing, approval, emergency changes |\n| **CC9** | Risk Mitigation | Vendor\u002Fbusiness partner risk management |\n\n### Availability (A1) — Optional\n\n| Criteria | Focus | Key Controls |\n|----------|-------|-------------|\n| **A1.1** | Capacity management | Infrastructure scaling, resource monitoring, capacity planning |\n| **A1.2** | Recovery operations | Backup procedures, disaster recovery, BCP testing |\n| **A1.3** | Recovery testing | DR drills, failover testing, RTO\u002FRPO validation |\n\n**Select when:** Customers depend on your uptime; you have SLAs; downtime causes direct business impact.\n\n### Confidentiality (C1) — Optional\n\n| Criteria | Focus | Key Controls |\n|----------|-------|-------------|\n| **C1.1** | Identification | Data classification policy, confidential data inventory |\n| **C1.2** | Protection | Encryption at rest and in transit, DLP, access restrictions |\n| **C1.3** | Disposal | Secure deletion procedures, media sanitization, retention enforcement |\n\n**Select when:** You handle trade secrets, proprietary data, or contractually confidential information.\n\n### Processing Integrity (PI1) — Optional\n\n| Criteria | Focus | Key Controls |\n|----------|-------|-------------|\n| **PI1.1** | Accuracy | Input validation, processing checks, output verification |\n| **PI1.2** | Completeness | Transaction monitoring, reconciliation, error handling |\n| **PI1.3** | Timeliness | SLA monitoring, processing delay alerts, batch job monitoring |\n| **PI1.4** | Authorization | Processing authorization controls, segregation of duties |\n\n**Select when:** Data accuracy is critical (financial processing, healthcare records, analytics platforms).\n\n### Privacy (P1-P8) — Optional\n\n| Criteria | Focus | Key Controls |\n|----------|-------|-------------|\n| **P1** | Notice | Privacy policy, data collection notice, purpose limitation |\n| **P2** | Choice & Consent | Opt-in\u002Fopt-out, consent management, preference tracking |\n| **P3** | Collection | Minimal collection, lawful basis, purpose specification |\n| **P4** | Use, Retention, Disposal | Purpose limitation, retention schedules, secure disposal |\n| **P5** | Access | Data subject access requests, correction rights |\n| **P6** | Disclosure & Notification | Third-party sharing, breach notification |\n| **P7** | Quality | Data accuracy verification, correction mechanisms |\n| **P8** | Monitoring & Enforcement | Privacy program monitoring, complaint handling |\n\n**Select when:** You process PII and customers expect privacy assurance (complements GDPR compliance).\n\n---\n\n## Control Matrix Generation\n\nA control matrix maps each TSC criterion to specific controls, owners, evidence, and testing procedures.\n\n### Matrix Structure\n\n| Field | Description |\n|-------|-------------|\n| **Control ID** | Unique identifier (e.g., SEC-001, AVL-003) |\n| **TSC Mapping** | Which criteria the control addresses (e.g., CC6.1, A1.2) |\n| **Control Description** | What the control does |\n| **Control Type** | Preventive, Detective, or Corrective |\n| **Owner** | Responsible person\u002Fteam |\n| **Frequency** | Continuous, Daily, Weekly, Monthly, Quarterly, Annual |\n| **Evidence Type** | Screenshot, Log, Policy, Config, Ticket |\n| **Testing Procedure** | How the auditor verifies the control |\n\n### Control Naming Convention\n\n```\n{CATEGORY}-{NUMBER}\nSEC-001 through SEC-NNN  → Security\nAVL-001 through AVL-NNN  → Availability\nCON-001 through CON-NNN  → Confidentiality\nPRI-001 through PRI-NNN  → Processing Integrity\nPRV-001 through PRV-NNN  → Privacy\n```\n\n### Workflow\n\n1. Select applicable TSC categories based on business needs\n2. Run `control_matrix_builder.py` to generate the baseline matrix\n3. Customize controls to match your actual environment\n4. Assign owners and evidence requirements\n5. Validate coverage — every selected TSC criterion must have at least one control\n\n---\n\n## Gap Analysis Workflow\n\n### Phase 1: Current State Assessment\n\n1. **Document existing controls** — inventory all security policies, procedures, and technical controls\n2. **Map to TSC** — align existing controls to Trust Service Criteria\n3. **Collect evidence samples** — gather proof that controls exist and operate\n4. **Interview control owners** — verify understanding and execution\n\n### Phase 2: Gap Identification\n\nRun `gap_analyzer.py` against your current controls to identify:\n\n- **Missing controls** — TSC criteria with no corresponding control\n- **Partially implemented** — Control exists but lacks evidence or consistency\n- **Design gaps** — Control designed but does not adequately address the criteria\n- **Operating gaps** (Type II only) — Control designed correctly but not operating effectively\n\n### Phase 3: Remediation Planning\n\nFor each gap, define:\n\n| Field | Description |\n|-------|-------------|\n| Gap ID | Reference identifier |\n| TSC Criteria | Affected criteria |\n| Gap Description | What is missing or insufficient |\n| Remediation Action | Specific steps to close the gap |\n| Owner | Person responsible for remediation |\n| Priority | Critical \u002F High \u002F Medium \u002F Low |\n| Target Date | Completion deadline |\n| Dependencies | Other gaps or projects that must complete first |\n\n### Phase 4: Timeline Planning\n\n| Priority | Target Remediation |\n|----------|--------------------|\n| Critical | 2-4 weeks |\n| High | 4-8 weeks |\n| Medium | 8-12 weeks |\n| Low | 12-16 weeks |\n\n---\n\n## Evidence Collection\n\n### Evidence Types by Control Category\n\n| Control Area | Primary Evidence | Secondary Evidence |\n|--------------|-----------------|-------------------|\n| Access Management | User access reviews, provisioning tickets | Role matrix, access logs |\n| Change Management | Change tickets, approval records | Deployment logs, test results |\n| Incident Response | Incident tickets, postmortems | Runbooks, escalation records |\n| Vulnerability Management | Scan reports, patch records | Remediation timelines |\n| Encryption | Configuration screenshots, certificate inventory | Key rotation logs |\n| Backup & Recovery | Backup logs, DR test results | Recovery time measurements |\n| Monitoring | Alert configurations, dashboard screenshots | On-call schedules, escalation records |\n| Policy Management | Signed policies, version history | Training completion records |\n| Vendor Management | Vendor assessments, SOC 2 reports | Contract reviews, risk registers |\n\n### Automation Opportunities\n\n| Area | Automation Approach |\n|------|-------------------|\n| Access reviews | Integrate IAM with ticketing (automatic quarterly review triggers) |\n| Configuration evidence | Infrastructure-as-code snapshots, compliance-as-code tools |\n| Vulnerability scans | Scheduled scanning with auto-generated reports |\n| Change management | Git-based audit trail (commits, PRs, approvals) |\n| Uptime monitoring | Automated SLA dashboards with historical data |\n| Backup verification | Automated restore tests with success\u002Ffailure logging |\n\n### Continuous Monitoring\n\nMove from point-in-time evidence collection to continuous compliance:\n\n1. **Automated evidence gathering** — scripts that pull evidence on schedule\n2. **Control dashboards** — real-time visibility into control status\n3. **Alert-based monitoring** — notify when a control drifts out of compliance\n4. **Evidence repository** — centralized, timestamped evidence storage\n\n---\n\n## Audit Readiness Checklist\n\n### Pre-Audit Preparation (4-6 Weeks Before)\n\n- [ ] All controls documented with descriptions, owners, and frequencies\n- [ ] Evidence collected for the entire observation period (Type II)\n- [ ] Control matrix reviewed and gaps remediated\n- [ ] Policies signed and distributed within the last 12 months\n- [ ] Access reviews completed within the required frequency\n- [ ] Vulnerability scans current (no critical\u002Fhigh unpatched > SLA)\n- [ ] Incident response plan tested within the last 12 months\n- [ ] Vendor risk assessments current for all subservice organizations\n- [ ] DR\u002FBCP tested and documented within the last 12 months\n- [ ] Employee security training completed for all staff\n\n### Readiness Scoring\n\n| Score | Rating | Meaning |\n|-------|--------|---------|\n| 90-100% | Audit Ready | Proceed with confidence |\n| 75-89% | Minor Gaps | Address before scheduling audit |\n| 50-74% | Significant Gaps | Remediation required |\n| \u003C 50% | Not Ready | Major program build-out needed |\n\n### Common Audit Findings\n\n| Finding | Root Cause | Prevention |\n|---------|-----------|-----------|\n| Incomplete access reviews | Manual process, no reminders | Automate quarterly review triggers |\n| Missing change approvals | Emergency changes bypass process | Define emergency change procedure with post-hoc approval |\n| Stale vulnerability scans | Scanner misconfigured | Automated weekly scans with alerting |\n| Policy not acknowledged | No tracking mechanism | Annual e-signature workflow |\n| Missing vendor assessments | No vendor inventory | Maintain vendor register with review schedule |\n\n---\n\n## Vendor Management\n\n### Third-Party Risk Assessment\n\nEvery vendor that accesses, stores, or processes customer data must be assessed:\n\n1. **Vendor inventory** — maintain a register of all service providers\n2. **Risk classification** — categorize vendors by data access level\n3. **Due diligence** — collect SOC 2 reports, security questionnaires, certifications\n4. **Contractual protections** — ensure DPAs, security requirements, breach notification clauses\n5. **Ongoing monitoring** — annual reassessment, continuous news monitoring\n\n### Vendor Risk Tiers\n\n| Tier | Data Access | Assessment Frequency | Requirements |\n|------|-------------|---------------------|-------------|\n| Critical | Processes\u002Fstores customer data | Annual + continuous monitoring | SOC 2 Type II, penetration test, security review |\n| High | Accesses customer environment | Annual | SOC 2 Type II or equivalent, questionnaire |\n| Medium | Indirect access, support tools | Annual questionnaire | Security certifications, questionnaire |\n| Low | No data access | Biennial questionnaire | Basic security questionnaire |\n\n### Subservice Organizations\n\nWhen your SOC 2 report relies on controls at a subservice organization (e.g., AWS, GCP, Azure):\n\n- **Inclusive method** — your report covers the subservice org's controls (requires their cooperation)\n- **Carve-out method** — your report excludes their controls but references their SOC 2 report\n- Most companies use **carve-out** and include complementary user entity controls (CUECs)\n\n---\n\n## Continuous Compliance\n\n### From Point-in-Time to Continuous\n\n| Aspect | Point-in-Time | Continuous |\n|--------|---------------|-----------|\n| Evidence collection | Manual, before audit | Automated, ongoing |\n| Control monitoring | Periodic review | Real-time dashboards |\n| Drift detection | Found during audit | Alert-based, immediate |\n| Remediation | Reactive | Proactive |\n| Audit preparation | 4-8 week scramble | Always ready |\n\n### Implementation Steps\n\n1. **Automate evidence gathering** — cron jobs, API integrations, IaC snapshots\n2. **Build control dashboards** — aggregate control status into a single view\n3. **Configure drift alerts** — notify when controls fall out of compliance\n4. **Establish review cadence** — weekly control owner check-ins, monthly steering\n5. **Maintain evidence repository** — centralized, timestamped, auditor-accessible\n\n### Annual Re-Assessment Cycle\n\n| Quarter | Activities |\n|---------|-----------|\n| Q1 | Annual risk assessment, policy refresh, vendor reassessment launch |\n| Q2 | Internal control testing, remediation of findings |\n| Q3 | Pre-audit readiness review, evidence completeness check |\n| Q4 | External audit, management assertion, report distribution |\n\n---\n\n## Anti-Patterns\n\n| Anti-Pattern | Why It Fails | Better Approach |\n|--------------|-------------|----------------|\n| Point-in-time compliance | Controls degrade between audits; gaps found during audit | Implement continuous monitoring and automated evidence |\n| Manual evidence collection | Time-consuming, inconsistent, error-prone | Automate with scripts, IaC, and compliance platforms |\n| Missing vendor assessments | Auditors flag incomplete vendor due diligence | Maintain vendor register with risk-tiered assessment schedule |\n| Copy-paste policies | Generic policies don't match actual operations | Tailor policies to your actual environment and technology stack |\n| Security theater | Controls exist on paper but aren't followed | Verify operating effectiveness; build controls into workflows |\n| Skipping Type I | Jumping to Type II without foundational readiness | Start with Type I to validate control design before observation |\n| Over-scoping TSC | Including all 5 categories when only Security is needed | Select categories based on actual customer\u002Fbusiness requirements |\n| Treating audit as a project | Compliance degrades after the report is issued | Build compliance into daily operations and engineering culture |\n\n---\n\n## Tools\n\n### Control Matrix Builder\n\nGenerates a SOC 2 control matrix from selected TSC categories.\n\n```bash\n# Generate full security matrix in markdown\npython scripts\u002Fcontrol_matrix_builder.py --categories security --format md\n\n# Generate matrix for multiple categories as JSON\npython scripts\u002Fcontrol_matrix_builder.py --categories security,availability,confidentiality --format json\n\n# All categories, CSV output\npython scripts\u002Fcontrol_matrix_builder.py --categories security,availability,confidentiality,processing-integrity,privacy --format csv\n```\n\n### Evidence Tracker\n\nTracks evidence collection status per control.\n\n```bash\n# Check evidence status from a control matrix\npython scripts\u002Fevidence_tracker.py --matrix controls.json --status\n\n# JSON output for integration\npython scripts\u002Fevidence_tracker.py --matrix controls.json --status --json\n```\n\n### Gap Analyzer\n\nAnalyzes current controls against SOC 2 requirements and identifies gaps.\n\n```bash\n# Type I gap analysis\npython scripts\u002Fgap_analyzer.py --controls current_controls.json --type type1\n\n# Type II gap analysis (includes operating effectiveness)\npython scripts\u002Fgap_analyzer.py --controls current_controls.json --type type2 --json\n```\n\n---\n\n## References\n\n- [Trust Service Criteria Reference](references\u002Ftrust_service_criteria.md) — All 5 TSC categories with sub-criteria, control objectives, and evidence examples\n- [Evidence Collection Guide](references\u002Fevidence_collection_guide.md) — Evidence types per control, automation tools, documentation requirements\n- [Type I vs Type II Comparison](references\u002Ftype1_vs_type2.md) — Detailed comparison, timeline, cost analysis, and upgrade path\n\n---\n\n## Cross-References\n\n- **[gdpr-dsgvo-expert](..\u002Fgdpr-dsgvo-expert\u002FSKILL.md)** — SOC 2 Privacy criteria overlaps significantly with GDPR requirements; use together when processing EU personal data\n- **[information-security-manager-iso27001](..\u002Finformation-security-manager-iso27001\u002FSKILL.md)** — ISO 27001 Annex A controls map closely to SOC 2 Security criteria; organizations pursuing both can share evidence\n- **[isms-audit-expert](..\u002Fisms-audit-expert\u002FSKILL.md)** — Audit methodology and finding management patterns transfer directly to SOC 2 audit preparation\n","","imported","https:\u002F\u002Fgithub.com\u002Falirezarezvani\u002Fclaude-skills","user_system_seed","SkillOPIC",true,153,2024,"2026-05-16 14:07:10",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"d6c372f6-bda8-44ea-887b-bea5bfcc93ff","1.0.0","soc2-compliance.zip",37203,"uploads\u002Fskills\u002Fc5be4e45-2ecb-4fe7-8d8b-2e8f0c89102f\u002Fsoc2-compliance.zip","cf40c28cf6511d24a6d33a22e8708fae95b5738cddf66a8ffbd521fb8510aa06","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":18896},{\"path\":\"references\u002Fevidence_collection_guide.md\",\"isDirectory\":false,\"size\":11737},{\"path\":\"references\u002Fsoc2_audit_playbook.md\",\"isDirectory\":false,\"size\":9480},{\"path\":\"references\u002Ftrust_service_criteria.md\",\"isDirectory\":false,\"size\":17764},{\"path\":\"references\u002Ftype1_vs_type2.md\",\"isDirectory\":false,\"size\":10465},{\"path\":\"scripts\u002Fcontrol_matrix_builder.py\",\"isDirectory\":false,\"size\":27405},{\"path\":\"scripts\u002Fevidence_tracker.py\",\"isDirectory\":false,\"size\":7963},{\"path\":\"scripts\u002Fgap_analyzer.py\",\"isDirectory\":false,\"size\":15919}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]