open-agreements/soc2-readiness

SOC 2 Readiness Assessment

Assess readiness for a SOC 2 Type II audit. This skill walks through the Trust Services Criteria, identifies gaps, maps to NIST controls, and generates a prioritized remediation plan.

Security Model

• No scripts executed — markdown-only procedural guidance
• No secrets required — works with reference checklists
• IP-clean — AICPA Trust Services Criteria are publicly cited; descriptions are original writing
• Evidence stays local — all collection outputs go to local filesystem

When to Use

Activate this skill when:

1. First SOC 2 preparation — building controls from scratch for initial Type I or Type II
2. Pre-audit readiness check — 4-8 weeks before audit window opens
3. Gap analysis after scope change — new systems, services, or trust criteria added
4. Remediation planning — translating audit findings into actionable work items
5. Dual-framework mapping — already pursuing ISO 27001 and need SOC 2 overlap analysis

Do NOT use for:

• ISO 27001 internal audit — use iso-27001-internal-audit
• Evidence collection mechanics — use iso-27001-evidence-collection
• Contract review — use legal agreement skills

Core Concepts

Trust Services Criteria (TSC)

SOC 2 is organized around 5 Trust Services Categories. Security (CC) is always in scope; others are optional based on your service:

| Category | Criteria | When Required | |----------|----------|---------------| | Security (CC) | CC 1-9 (33 criteria) | Always required | | Availability (A) | A 1.1-1.3 (3 criteria) | SaaS with uptime SLAs | | Processing Integrity (PI) | PI 1.1-1.5 (4 criteria) | Data processing services | | Confidentiality (C) | C 1.1-1.2 (2 criteria) | Handling confidential data | | Privacy (P) | P 4-8 (7 criteria) | PII processing |

SOC 2 vs. ISO 27001

| Dimension | SOC 2 | ISO 27001 | |-----------|-------|-----------| | Governing body | AICPA | ISO/IEC | | Geography | Primarily US/Canada | Global | | Type | Attestation report by CPA | Certification by audit body | | Scope | Service-specific | Organization-wide ISMS | | Controls | Flexible (you define) | 93 Annex A controls | | Output | SOC 2 report (restricted/general use) | Certificate | | Overlap | ~70% overlap with ISO 27001 Annex A | ~70% overlap with SOC 2 CC |

Decision Tree: Scope Selection

What service are you getting audited on?
├── SaaS product → Security + Availability (+ Confidentiality if you handle sensitive data)
├── Data processing → Security + Processing Integrity + Confidentiality
├── Infrastructure → Security + Availability
├── API service → Security (+ PI if you transform data)
│
Do you handle PII?
├── YES → Add Privacy category
├── NO → Skip Privacy
│
Do you have uptime SLAs?
├── YES → Include Availability
├── NO → Optional (but customers expect it for SaaS)

Step-by-Step Workflow

Step 1: Define Scope and Categories

1. Identify the service being audited (product name, description, boundaries)
2. Select Trust Services Categories using the decision tree above
3. Define system boundaries: infrastructure, software, people, procedures, data
4. Document sub-service organizations (cloud providers, payment processors, etc.)
5. Determine audit type: Type I (point-in-time) or Type II (period of time, usually 6-12 months)

Step 2: Assess Current State

For each applicable Common Criterion (CC), assess whether controls are:

• Designed — control exists on paper
• Implemented — control is operating
• Effective — control achieves its objective (evidence exists)

# If Internal ISO Audit MCP server is available (SOC 2 maps to ISO 27001 Annex A):
list_controls(domain="technological")                       # List tech controls (maps to CC 6-8)
get_control_guidance(control_id="A.5.15")                   # Get guidance for ISO control mapped from CC 6.1
get_nist_mapping(control_id="AC-2", direction="nist_to_iso")  # Find ISO controls from NIST reference
search_guidance(query="incident response")                  # Search for controls matching SOC 2 criteria

Step 3: Map Controls to Criteria

Each CC maps to specific NIST controls. Use this mapping to identify what you need:

CC 1 — Control Environment

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 1.1 | Integrity and ethics | PS-1, PS-3, PS-6 | A.6.1, A.6.2, A.6.4 | | CC 1.2 | Board oversight | PM-1, PM-2 | C.5.1, C.5.3 | | CC 1.3 | Organizational structure | PM-2 | C.5.3 | | CC 1.4 | Competence commitment | AT-2, PS-3 | A.6.1, A.6.3 | | CC 1.5 | Accountability | PS-3, PS-4 | A.6.4, A.6.5 |

CC 2 — Communication and Information

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 2.1 | Internal information | AU-2, SI-5 | C.7.5.1 | | CC 2.2 | Internal communication | PM-2, AT-2 | C.7.4, A.6.3 | | CC 2.3 | External communication | PM-1 | A.5.14 |

CC 3 — Risk Assessment

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 3.1 | Risk objectives | PM-9, RA-1 | C.6.1.1 | | CC 3.2 | Risk identification | RA-3 | C.6.1.2, C.8.2 | | CC 3.3 | Fraud risk | RA-3 | C.6.1.2 | | CC 3.4 | Change impact | RA-3, CM-4 | C.6.1.2, A.8.9 |

CC 4 — Monitoring Activities

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 4.1 | Ongoing monitoring | CA-7, PM-6 | C.9.1 | | CC 4.2 | Deficiency evaluation | CA-2 | C.9.2.1 |

CC 5 — Control Activities

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 5.1 | Risk mitigation | AC-5 | A.5.3 | | CC 5.2 | Technology controls | AC-1, IA-2 | A.5.15, A.8.5 | | CC 5.3 | Policy deployment | PM-1, PL-1 | A.5.1, C.5.2 |

CC 6 — Logical and Physical Access

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 6.1 | Access control | AC-2, AC-3, IA-2, SC-28 | A.5.15, A.8.5, A.8.24 | | CC 6.2 | Access provisioning | AC-2, PS-4, PS-5 | A.5.18, A.6.5 | | CC 6.3 | Access modification | AC-2, AC-6 | A.5.15, A.5.18 | | CC 6.4 | Physical access | PE-2, PE-3, PE-6 | A.7.2, A.7.4 | | CC 6.5 | Asset disposal | MP-6 | A.7.10, A.7.14 | | CC 6.6 | Threat detection | RA-5, SI-4 | A.8.8, A.8.16 | | CC 6.7 | Transmission security | SC-8 | A.5.14, A.8.24 | | CC 6.8 | Malware prevention | SI-2, SI-3 | A.8.7, A.8.19 |

CC 7 — System Operations

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 7.1 | Operational monitoring | CM-6, RA-5 | A.8.9, A.8.8 | | CC 7.2 | Anomaly detection | AU-6, SI-4 | A.8.15, A.8.16 | | CC 7.3 | Incident response | IR-4 | A.5.24, A.5.25 | | CC 7.4 | Incident management | IR-5, IR-6 | A.5.25, A.5.26 | | CC 7.5 | Recovery | CP-4, CP-9, CP-10 | A.5.30, A.8.13 |

CC 8 — Change Management

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 8.1 | Change control | CM-3, CM-5, SA-3 | A.8.9, A.8.25, A.8.32 |

CC 9 — Risk Mitigation

| Criterion | Focus | NIST Controls | ISO Cross-Reference | |-----------|-------|---------------|---------------------| | CC 9.1 | Risk mitigation | CP-2, RA-7 | A.5.30, C.6.1.3 | | CC 9.2 | Vendor management | AC-20, SA-9 | A.5.19, A.5.22 |

Step 4: Generate Gap Analysis

For each criterion, document:

## Gap: [CC x.x] — [Brief description]

**Current State**: [What exists today]
**Required State**: [What the auditor expects]
**Gap**: [What's missing]
**Remediation**:
1. [Specific action item]
2. [Specific action item]
**Priority**: Critical / High / Medium / Low
**Effort**: [Days/weeks to remediate]
**Owner**: [Person responsible]
**Evidence Needed**: [What to collect after fix]

Step 5: Build Remediation Plan

Prioritize gaps by:

1. Critical — Audit will fail without this (CC 6.1, 6.2, 7.2, 7.5, 8.1)
2. High — Likely finding if not addressed (CC 1.4, 3.2, 6.6, 7.3)
3. Medium — Auditor will note but may not be a finding
4. Low — Best practice, not strictly required

Step 6: Readiness Report

Generate a structured readiness assessment:

1. Executive summary — overall readiness percentage, estimated time to audit-ready
2. Scope — service description, trust categories, audit type
3. Control matrix — all applicable criteria with status (designed/implemented/effective)
4. Gap analysis — prioritized list of gaps with remediation plan
5. Timeline — remediation milestones leading to audit window

Quick Reference: Top SOC 2 Failures

| # | Criterion | Common Failure | Fix | |---|-----------|---------------|-----| | 1 | CC 6.1 | MFA not universal | Enforce MFA on all systems with sensitive data | | 2 | CC 6.2 | Access not revoked on termination | Automate deprovisioning; verify within 24h | | 3 | CC 7.2 | No log monitoring | Configure alerts for auth failures, privilege changes | | 4 | CC 8.1 | No change management | Require PR reviews; document deployment process | | 5 | CC 7.5 | Backups never tested | Restore from backup quarterly; document results | | 6 | CC 3.2 | No risk assessment | Conduct and document annual risk assessment | | 7 | CC 6.6 | No vulnerability scanning | Deploy automated scanning; remediate criticals in 30d | | 8 | CC 1.4 | Security training incomplete | Require annual training; track completion | | 9 | CC 9.2 | Vendor risk not assessed | Maintain vendor register; collect SOC 2 reports | | 10 | CC 7.3 | No incident response plan | Document plan; conduct tabletop exercise |

DO / DON'T

DO

• Start with Security (CC) criteria — they're always required and cover ~80% of effort
• Map to ISO 27001 if pursuing both frameworks — ~70% control overlap
• Collect evidence throughout the audit period, not just at audit time
• Include sub-service organizations in your description
• Define the audit period before starting evidence collection

DON'T

• Include trust categories you can't support — better to pass on fewer than fail on more
• Assume Type I is "easy" — it requires all controls to be designed and implemented
• Forget the system description — auditors review this first and use it to scope their testing
• Use generic/template control descriptions — auditors expect your controls to match your actual environment
• Ignore complementary user entity controls (CUECs) — your customers need to know their responsibilities

Troubleshooting

| Problem | Solution | |---------|----------| | First SOC 2, no existing controls | Start with CC 6 (access) and CC 8 (change management) — fastest to implement | | Already have ISO 27001 | Map Annex A controls to SOC 2 CC; ~70% are already covered | | Auditor requests evidence we don't have | Collect it now; document the process; note in description if control was implemented mid-period | | Multiple environments (prod/staging/dev) | Only production environment needs to be in scope; document boundaries clearly | | Sub-service org (AWS/GCP/Azure) | Use SOC 2 Type II report from the provider; document which controls they cover |

Rules

For detailed SOC 2-specific guidance:

| File | Coverage | |------|----------| | rules/logical-access.md | CC 6.1–6.8 — access control, provisioning, physical, threat detection | | rules/system-operations.md | CC 7.1–7.5 — monitoring, anomaly detection, incident response, recovery | | rules/change-vendor-management.md | CC 8.1, CC 9.1–9.2 — change control, risk mitigation, vendor management | | rules/control-environment.md | CC 1.1–1.5 — governance, ethics, org structure, competence, accountability | | rules/risk-assessment.md | CC 3.1–3.4 — risk objectives, identification, fraud risk, change impact | | rules/control-activities.md | CC 5.1–5.3 — risk mitigation selection, technology controls, policy deployment | | rules/communication-info.md | CC 2.1–2.3 — internal/external communication, information quality | | rules/monitoring-activities.md | CC 4.1–4.2 — ongoing monitoring, deficiency evaluation | | rules/optional-categories.md | A 1.x, PI 1.x, C 1.x — Availability, Processing Integrity, Confidentiality | | rules/privacy-criteria.md | P 1.x–8.x — Privacy criteria (when PII in scope) |

Attribution

SOC 2 criteria mapping and readiness procedures developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).

Runtime Detection

1. Internal ISO Audit MCP server available (best) — Live ISO 27001 control guidance with NIST cross-references. SOC 2 criteria map to ISO 27001 Annex A controls (~70% overlap); use get_nist_mapping for bidirectional lookup. Server: internalisoaudit.com/api/mcp
2. Local compliance data available (good) — Reads compliance/ directory with SOC 2 test metadata
3. Reference only (baseline) — Uses embedded criteria mapping and checklists in rules/

Connectors

For Internal ISO Audit MCP server setup, see CONNECTORS.md.