soc2-readiness

SOC 2 Readiness Assessment

Assess readiness for a SOC 2 Type II audit. This skill walks through the Trust Services Criteria, identifies gaps, maps to NIST controls, and generates a prioritized remediation plan.

Security Model

• No scripts executed — markdown-only procedural guidance
• No secrets required — works with reference checklists
• IP-clean — AICPA Trust Services Criteria are publicly cited; descriptions are original writing
• Evidence stays local — all collection outputs go to local filesystem

When to Use

Activate this skill when:

1. First SOC 2 preparation — building controls from scratch for initial Type I or Type II
2. Pre-audit readiness check — 4-8 weeks before audit window opens
3. Gap analysis after scope change — new systems, services, or trust criteria added
4. Remediation planning — translating audit findings into actionable work items
5. Dual-framework mapping — already pursuing ISO 27001 and need SOC 2 overlap analysis

Do NOT use for:

• ISO 27001 internal audit — use iso-27001-internal-audit
• Evidence collection mechanics — use iso-27001-evidence-collection
• Contract review — use legal agreement skills

Core Concepts

Trust Services Criteria (TSC)

SOC 2 is organized around 5 Trust Services Categories. Security (CC) is always in scope; others are optional based on your service:

Category	Criteria	When Required
Security (CC)	CC 1-9 (33 criteria)	Always required
Availability (A)	A 1.1-1.3 (3 criteria)	SaaS with uptime SLAs
Processing Integrity (PI)	PI 1.1-1.5 (4 criteria)	Data processing services
Confidentiality (C)	C 1.1-1.2 (2 criteria)	Handling confidential data
Privacy (P)	P 4-8 (7 criteria)	PII processing

SOC 2 vs. ISO 27001

Dimension	SOC 2	ISO 27001
Governing body	AICPA	ISO/IEC
Geography	Primarily US/Canada	Global
Type	Attestation report by CPA	Certification by audit body
Scope	Service-specific	Organization-wide ISMS
Controls	Flexible (you define)	93 Annex A controls
Output	SOC 2 report (restricted/general use)	Certificate
Overlap	~70% overlap with ISO 27001 Annex A	~70% overlap with SOC 2 CC

Decision Tree: Scope Selection

What service are you getting audited on?
├── SaaS product → Security + Availability (+ Confidentiality if you handle sensitive data)
├── Data processing → Security + Processing Integrity + Confidentiality
├── Infrastructure → Security + Availability
├── API service → Security (+ PI if you transform data)
│
Do you handle PII?
├── YES → Add Privacy category
├── NO → Skip Privacy
│
Do you have uptime SLAs?
├── YES → Include Availability
├── NO → Optional (but customers expect it for SaaS)

Step-by-Step Workflow

Step 1: Define Scope and Categories

1. Identify the service being audited (product name, description, boundaries)
2. Select Trust Services Categories using the decision tree above
3. Define system boundaries: infrastructure, software, people, procedures, data
4. Document sub-service organizations (cloud providers, payment processors, etc.)
5. Determine audit type: Type I (point-in-time) or Type II (period of time, usually 6-12 months)

Step 2: Assess Current State

For each applicable Common Criterion (CC), assess whether controls are:

• Designed — control exists on paper
• Implemented — control is operating
• Effective — control achieves its objective (evidence exists)

# If Internal ISO Audit MCP server is available (SOC 2 maps to ISO 27001 Annex A):
list_controls(domain="technological")                       # List tech controls (maps to CC 6-8)
get_control_guidance(control_id="A.5.15")                   # Get guidance for ISO control mapped from CC 6.1
get_nist_mapping(control_id="AC-2", direction="nist_to_iso")  # Find ISO controls from NIST reference
search_guidance(query="incident response")                  # Search for controls matching SOC 2 criteria

Step 3: Map Controls to Criteria

Each CC maps to specific NIST controls. Use this mapping to identify what you need:

CC 1 — Control Environment

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 1.1	Integrity and ethics	PS-1, PS-3, PS-6	A.6.1, A.6.2, A.6.4
CC 1.2	Board oversight	PM-1, PM-2	C.5.1, C.5.3
CC 1.3	Organizational structure	PM-2	C.5.3
CC 1.4	Competence commitment	AT-2, PS-3	A.6.1, A.6.3
CC 1.5	Accountability	PS-3, PS-4	A.6.4, A.6.5

CC 2 — Communication and Information

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 2.1	Internal information	AU-2, SI-5	C.7.5.1
CC 2.2	Internal communication	PM-2, AT-2	C.7.4, A.6.3
CC 2.3	External communication	PM-1	A.5.14

CC 3 — Risk Assessment

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 3.1	Risk objectives	PM-9, RA-1	C.6.1.1
CC 3.2	Risk identification	RA-3	C.6.1.2, C.8.2
CC 3.3	Fraud risk	RA-3	C.6.1.2
CC 3.4	Change impact	RA-3, CM-4	C.6.1.2, A.8.9

CC 4 — Monitoring Activities

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 4.1	Ongoing monitoring	CA-7, PM-6	C.9.1
CC 4.2	Deficiency evaluation	CA-2	C.9.2.1

CC 5 — Control Activities

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 5.1	Risk mitigation	AC-5	A.5.3
CC 5.2	Technology controls	AC-1, IA-2	A.5.15, A.8.5
CC 5.3	Policy deployment	PM-1, PL-1	A.5.1, C.5.2

CC 6 — Logical and Physical Access

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 6.1	Access control	AC-2, AC-3, IA-2, SC-28	A.5.15, A.8.5, A.8.24
CC 6.2	Access provisioning	AC-2, PS-4, PS-5	A.5.18, A.6.5
CC 6.3	Access modification	AC-2, AC-6	A.5.15, A.5.18
CC 6.4	Physical access	PE-2, PE-3, PE-6	A.7.2, A.7.4
CC 6.5	Asset disposal	MP-6	A.7.10, A.7.14
CC 6.6	Threat detection	RA-5, SI-4	A.8.8, A.8.16
CC 6.7	Transmission security	SC-8	A.5.14, A.8.24
CC 6.8	Malware prevention	SI-2, SI-3	A.8.7, A.8.19

CC 7 — System Operations

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 7.1	Operational monitoring	CM-6, RA-5	A.8.9, A.8.8
CC 7.2	Anomaly detection	AU-6, SI-4	A.8.15, A.8.16
CC 7.3	Incident response	IR-4	A.5.24, A.5.25
CC 7.4	Incident management	IR-5, IR-6	A.5.25, A.5.26
CC 7.5	Recovery	CP-4, CP-9, CP-10	A.5.30, A.8.13

CC 8 — Change Management

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 8.1	Change control	CM-3, CM-5, SA-3	A.8.9, A.8.25, A.8.32

CC 9 — Risk Mitigation

Criterion	Focus	NIST Controls	ISO Cross-Reference
CC 9.1	Risk mitigation	CP-2, RA-7	A.5.30, C.6.1.3
CC 9.2	Vendor management	AC-20, SA-9	A.5.19, A.5.22

Step 4: Generate Gap Analysis

For each criterion, document:

## Gap: [CC x.x] — [Brief description]

**Current State**: [What exists today]
**Required State**: [What the auditor expects]
**Gap**: [What's missing]
**Remediation**:
1. [Specific action item]
2. [Specific action item]
**Priority**: Critical / High / Medium / Low
**Effort**: [Days/weeks to remediate]
**Owner**: [Person responsible]
**Evidence Needed**: [What to collect after fix]

Step 5: Build Remediation Plan

Prioritize gaps by:

1. Critical — Audit will fail without this (CC 6.1, 6.2, 7.2, 7.5, 8.1)
2. High — Likely finding if not addressed (CC 1.4, 3.2, 6.6, 7.3)
3. Medium — Auditor will note but may not be a finding
4. Low — Best practice, not strictly required

Step 6: Readiness Report

Generate a structured readiness assessment:

1. Executive summary — overall readiness percentage, estimated time to audit-ready
2. Scope — service description, trust categories, audit type
3. Control matrix — all applicable criteria with status (designed/implemented/effective)
4. Gap analysis — prioritized list of gaps with remediation plan
5. Timeline — remediation milestones leading to audit window

Quick Reference: Top SOC 2 Failures

#	Criterion	Common Failure	Fix
1	CC 6.1	MFA not universal	Enforce MFA on all systems with sensitive data
2	CC 6.2	Access not revoked on termination	Automate deprovisioning; verify within 24h
3	CC 7.2	No log monitoring	Configure alerts for auth failures, privilege changes
4	CC 8.1	No change management	Require PR reviews; document deployment process
5	CC 7.5	Backups never tested	Restore from backup quarterly; document results
6	CC 3.2	No risk assessment	Conduct and document annual risk assessment
7	CC 6.6	No vulnerability scanning	Deploy automated scanning; remediate criticals in 30d
8	CC 1.4	Security training incomplete	Require annual training; track completion
9	CC 9.2	Vendor risk not assessed	Maintain vendor register; collect SOC 2 reports
10	CC 7.3	No incident response plan	Document plan; conduct tabletop exercise

DO / DON'T

DO

• Start with Security (CC) criteria — they're always required and cover ~80% of effort
• Map to ISO 27001 if pursuing both frameworks — ~70% control overlap
• Collect evidence throughout the audit period, not just at audit time
• Include sub-service organizations in your description
• Define the audit period before starting evidence collection

DON'T

• Include trust categories you can't support — better to pass on fewer than fail on more
• Assume Type I is "easy" — it requires all controls to be designed and implemented
• Forget the system description — auditors review this first and use it to scope their testing
• Use generic/template control descriptions — auditors expect your controls to match your actual environment
• Ignore complementary user entity controls (CUECs) — your customers need to know their responsibilities

Troubleshooting

Problem	Solution
First SOC 2, no existing controls	Start with CC 6 (access) and CC 8 (change management) — fastest to implement
Already have ISO 27001	Map Annex A controls to SOC 2 CC; ~70% are already covered
Auditor requests evidence we don't have	Collect it now; document the process; note in description if control was implemented mid-period
Multiple environments (prod/staging/dev)	Only production environment needs to be in scope; document boundaries clearly
Sub-service org (AWS/GCP/Azure)	Use SOC 2 Type II report from the provider; document which controls they cover

Rules

For detailed SOC 2-specific guidance:

File	Coverage
rules/logical-access.md	CC 6.1–6.8 — access control, provisioning, physical, threat detection
rules/system-operations.md	CC 7.1–7.5 — monitoring, anomaly detection, incident response, recovery
rules/change-vendor-management.md	CC 8.1, CC 9.1–9.2 — change control, risk mitigation, vendor management
rules/control-environment.md	CC 1.1–1.5 — governance, ethics, org structure, competence, accountability
rules/risk-assessment.md	CC 3.1–3.4 — risk objectives, identification, fraud risk, change impact
rules/control-activities.md	CC 5.1–5.3 — risk mitigation selection, technology controls, policy deployment
rules/communication-info.md	CC 2.1–2.3 — internal/external communication, information quality
rules/monitoring-activities.md	CC 4.1–4.2 — ongoing monitoring, deficiency evaluation
rules/optional-categories.md	A 1.x, PI 1.x, C 1.x — Availability, Processing Integrity, Confidentiality
rules/privacy-criteria.md	P 1.x–8.x — Privacy criteria (when PII in scope)

Attribution

SOC 2 criteria mapping and readiness procedures developed with Internal ISO Audit (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).

Runtime Detection

1. Internal ISO Audit MCP server available (best) — Live ISO 27001 control guidance with NIST cross-references. SOC 2 criteria map to ISO 27001 Annex A controls (~70% overlap); use get_nist_mapping for bidirectional lookup. Server: internalisoaudit.com/api/mcp
2. Local compliance data available (good) — Reads compliance/ directory with SOC 2 test metadata
3. Reference only (baseline) — Uses embedded criteria mapping and checklists in rules/

Connectors

For Internal ISO Audit MCP server setup, see CONNECTORS.md.