Soc2 Compliance Pack

About This Skill

# SOC2 Compliance Pack Your enterprise customer just sent a SOC2 questionnaire. You have 2 weeks. This is the starter pack: 17 policy templates, 64 control mappings, automated evidence collection, and a vendor-questionnaire response generator. ## What it does Everything you need to get SOC2 Type II-ready: - **17 policy templates** — InfoSec, Access Control, Incident Response, BCP, Vendor Mgmt, HR, etc. - **64 control mappings** — one per Trust Service Criteria point - **Evidence collection** — automated scripts for AWS, GCP, Azure, GitHub - **Gap analysis** — current state vs SOC2 requirements - **Vendor questionnaire** — auto-fill responses to standard SIG / CAIQ - **Auditor-ready reports** — control status, evidence list, exceptions - **Continuous compliance** — keep evidence fresh between audits ## When to use it - You just lost a deal because you don't have SOC2 - Your first enterprise customer is asking for a SOC2 report - You're 30 days from audit and not ready - You're building a security/compliance program from scratch - An auditor quoted you $50k and you want to do prep yourself - You're responding to SIG / CAIQ questionnaires manually and want automation ## Why it's better than ad-hoc prompting Most "SOC2 prep" prompts give high-level advice. This skill is different: - **17 ready-to-customize policy templates** — not "write a security policy" - **Control-to-evidence mapping** — what to collect, how often, where - **Automated scripts** — actual Python that pulls evidence from cloud - **Auditor format** — outputs that match what auditors expect - **Continuous compliance** — not just point-in-time, ongoing ## Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ Agent (Claude/Cursor) │ │ - Asks about your stack, audit timeline │ │ - Generates policies + controls + scripts │ │ - Walks through gap analysis │ └───────────────┬─────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ skills/soc2-compliance-pack/ │ │ scripts/ │ │ ├── gap_analysis.py # Current vs SOC2 │ │ ├── collect_aws.py # AWS evidence collector │ │ ├── collect_gcp.py # GCP evidence collector │ │ ├── collect_azure.py # Azure evidence collector │ │ ├── collect_github.py # GitHub evidence collector │ │ ├── collect_okta.py # Okta / Auth0 evidence │ │ ├── questionnaire.py # SIG / CAIQ auto-responder │ │ ├── auditor_report.py # Control status report │ │ └── continuous.py # Keep evidence fresh │ │ references/ │ │ ├── tsc-catalog.md # All 64 TSC points │ │ ├── evidence-catalog.md # What evidence for what │ │ ├── policy-checklist.md # 17 policies you need │ │ └── audit-prep-90d.md # 90-day plan │ │ templates/policies/ │ │ ├── infosec.md │ │ ├── access-control.md │ │ ├── incident-response.md │ │ ├── change-management.md │ │ ├── vendor-management.md │ │ ├── business-continuity.md │ │ ├── data-classification.md │ │ ├── encryption-key-mgmt.md │ │ ├── ...17 total │ └─────────────────────────────────────────────────────────┘ ``` ## Quick start ```bash # 1. Install pip install boto3 google-cloud python-azure-identity PyGithub # 2. Gap analysis python scripts/gap_analysis.py --framework soc2-type2 --out gap-report.md # 3. Collect evidence from cloud python scripts/collect_aws.py --services iam,s3,ec2,cloudtrail --out evidence/aws/ python scripts/collect_gcp.py --services iam,gcs,compute,logging --out evidence/gcp/ python scripts/collect_azure.py --services ad,storage,compute,monitor --out evidence/azure/ python scripts/collect_github.py --org myorg --out evidence/github/ python scripts/collect_okta.py --out evidence/okta/ # 4. Fill out vendor questionnaire python scripts/questionnaire.py --input sig-2026.xlsx --out sig-responses.xlsx # 5. Generate auditor report python scripts/auditor_report.py --out audit-report-2026.pdf # 6. Continuous compliance (cron) python scripts/continuous.py --interval 24h ``` ## The 17 policy templates 1. Information Security Policy 2. Acceptable Use Policy 3. Access Control Policy 4. Data Classification & Handling 5. Encryption & Key Management 6. Change Management 7. Incident Response 8. Business Continuity & Disaster Recovery 9. Vendor Management 10. Human Resources Security 11. Asset Management 12. Network Security 13. Physical Security 14. Logging & Monitoring 15. Vulnerability Management 16. Secure Development (SDLC) 17. Risk Assessment Each template: 2-4 pages, customizable, includes purpose / scope / policy / procedures / enforcement. ## The 5 Trust Service Criteria (TSC) | # | TSC | Description | Common controls | |---|-----|-------------|-----------------| | 1 | **Security** | Protection against unauthorized access | Access control, encryption, logging, vulnerability mgmt | | 2 | **Availability** | System uptime commitments | SLOs, BCP/DR, monitoring | | 3 | **Processing Integrity** | System processes are complete, accurate | Input validation, error handling, reconciliation | | 4 | **Confidentiality** | Confidential info is protected | Encryption, access control, data classification | | 5 | **Privacy** | Personal info is collected/used responsibly | Consent, retention, subject rights | 64 control points total across the 5 TSCs. ## Evidence collection (automated) | Source | What it collects | Refresh | |--------|------------------|---------| | **AWS** | IAM users/roles/policies, S3 bucket policies, EC2 security groups, CloudTrail config, KMS keys, GuardDuty findings | 24h | | **GCP** | IAM, GCS policies, VPC firewall rules, Audit logs, KMS | 24h | | **Azure** | AD users/roles, Storage policies, NSG rules, Activity Log, Key Vault | 24h | | **GitHub** | Org members, repo permissions, branch protection, 2FA enforcement, secret scanning | 24h | | **Okta / Auth0** | Users, MFA enrollment, admin count, session policies | 24h | ## The 90-day SOC2 plan ### Days 1-30: Foundation - Buy or adopt policy templates (this skill) - Customize to your company - Identify scope (systems in audit) - Run gap analysis ### Days 31-60: Implementation - Deploy evidence collection (daily cron) - Implement missing controls (MFA, logging, etc.) - Train employees on policies - Start tracking exceptions ### Days 61-90: Audit prep - Generate evidence package - Fill out internal security questionnaire - Select auditor (Big 4, mid-tier, or boutique) - Walk through controls with auditor ### Ongoing - Continuous compliance (evidence auto-refresh) - Quarterly access reviews - Annual policy review + penetration test ## Pricing Single-purchase, lifetime access. $25.00. Includes: - 9 Python scripts (gap, 5 cloud collectors, questionnaire, audit report, continuous) - 4 reference docs (TSC catalog, evidence catalog, policy checklist, 90-day plan) - 17 policy templates (markdown, customizable) - 64 TSC control mappings - Vendor questionnaire auto-responder - Future updates for the same major version ## Example usage > "We're a 30-person SaaS. Customer asking for SOC2 Type II. We have 90 days. Help us get ready." The skill will: 1. Run gap analysis (current state vs 64 controls) 2. Output the 17 policy templates 3. Generate evidence collection scripts (we have AWS + GitHub + Okta) 4. Identify the 5-10 critical gaps to close in 60 days 5. Output a 90-day plan with weekly milestones ## Compatibility Works with any agent that supports the SKILL.md standard and can execute Python: Claude Code, OpenClaw, Codex CLI, Cursor, Gemini CLI, Cline, Windsurf, Aider. Cloud SDKs: AWS boto3, GCP, Azure. Tested on Linux, macOS, Windows. ## Tags soc2, compliance, security, audit, iso27001, gdpr, hipaa, governance, enterprise