Назад към всички

soc2-compliance-automator

// SOC 2 Trust Services Criteria compliance automation for evidence collection, control mapping, and audit preparation

$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namesoc2-compliance-automator
descriptionSOC 2 Trust Services Criteria compliance automation for evidence collection, control mapping, and audit preparation
allowed-toolsBash,Read,Write,Glob,Grep,WebFetch

SOC 2 Compliance Automator Skill

Purpose

Automate SOC 2 Trust Services Criteria (TSC) compliance activities including control mapping, evidence collection, audit preparation, and continuous compliance monitoring.

Capabilities

Control Mapping

  • Map organizational controls to SOC 2 TSC requirements
  • Cover all five Trust Services Categories:
    • Security (Common Criteria)
    • Availability
    • Processing Integrity
    • Confidentiality
    • Privacy
  • Generate control matrices with evidence requirements
  • Identify control gaps and coverage

Evidence Collection

  • Automate evidence gathering from cloud providers
  • Collect access control configurations (IAM, RBAC)
  • Capture security configurations and policies
  • Document change management processes
  • Archive audit logs and monitoring data
  • Screenshot automation for manual controls

Audit Preparation

  • Generate Type I and Type II audit packages
  • Prepare management assertion documents
  • Create system description documents
  • Organize evidence by control objective
  • Generate auditor-ready reports

Control Effectiveness Tracking

  • Monitor control implementation status
  • Track control testing results
  • Document control exceptions
  • Manage remediation activities
  • Calculate compliance scores

Continuous Compliance

  • Monitor control drift and changes
  • Alert on compliance deviations
  • Track evidence freshness
  • Generate compliance dashboards
  • Automate periodic control testing

Trust Services Categories

CC - Common Criteria (Security)

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

A - Availability

  • System availability commitments
  • Disaster recovery and business continuity
  • Capacity planning and monitoring

PI - Processing Integrity

  • Data processing accuracy
  • Completeness and timeliness
  • Error handling procedures

C - Confidentiality

  • Data classification
  • Encryption requirements
  • Access restrictions

P - Privacy

  • Privacy notice and consent
  • Data subject rights
  • Data retention and disposal

Integrations

  • Vanta: Automated security and compliance
  • Drata: Continuous compliance automation
  • Secureframe: Security compliance platform
  • AWS/Azure/GCP APIs: Cloud configuration evidence
  • Identity Providers: Access control evidence
  • SIEM Systems: Log and monitoring evidence

Target Processes

  • SOC 2 Compliance Audit Preparation
  • Continuous Compliance Monitoring
  • Security Control Assessment
  • Audit Readiness Review

Input Schema

{
  "type": "object",
  "properties": {
    "auditType": {
      "type": "string",
      "enum": ["Type1", "Type2"],
      "description": "SOC 2 audit type"
    },
    "trustCategories": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["Security", "Availability", "ProcessingIntegrity", "Confidentiality", "Privacy"]
      }
    },
    "auditPeriod": {
      "type": "object",
      "properties": {
        "startDate": { "type": "string", "format": "date" },
        "endDate": { "type": "string", "format": "date" }
      }
    },
    "cloudProviders": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["AWS", "Azure", "GCP"]
      }
    },
    "controlMatrix": {
      "type": "string",
      "description": "Path to existing control matrix"
    },
    "evidenceBasePath": {
      "type": "string",
      "description": "Base path for evidence storage"
    }
  },
  "required": ["auditType", "trustCategories"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "assessmentId": {
      "type": "string"
    },
    "auditType": {
      "type": "string"
    },
    "assessmentDate": {
      "type": "string",
      "format": "date-time"
    },
    "trustCategories": {
      "type": "array"
    },
    "controlSummary": {
      "type": "object",
      "properties": {
        "totalControls": { "type": "integer" },
        "implemented": { "type": "integer" },
        "partiallyImplemented": { "type": "integer" },
        "notImplemented": { "type": "integer" },
        "notApplicable": { "type": "integer" }
      }
    },
    "evidenceStatus": {
      "type": "object",
      "properties": {
        "collected": { "type": "integer" },
        "pending": { "type": "integer" },
        "missing": { "type": "integer" }
      }
    },
    "gapAnalysis": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "controlId": { "type": "string" },
          "gap": { "type": "string" },
          "remediation": { "type": "string" },
          "priority": { "type": "string" }
        }
      }
    },
    "auditPackage": {
      "type": "object",
      "properties": {
        "controlMatrix": { "type": "string" },
        "evidenceFolder": { "type": "string" },
        "systemDescription": { "type": "string" },
        "managementAssertion": { "type": "string" }
      }
    },
    "complianceScore": {
      "type": "number"
    }
  }
}

Usage Example

skill: {
  name: 'soc2-compliance-automator',
  context: {
    auditType: 'Type2',
    trustCategories: ['Security', 'Availability', 'Confidentiality'],
    auditPeriod: {
      startDate: '2024-01-01',
      endDate: '2024-12-31'
    },
    cloudProviders: ['AWS', 'Azure']
  }
}