soc2-compliance-expert
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSOC 2 Compliance Expert
SOC 2合规专家
SOC 2 Type I and Type II compliance management covering all Trust Services Criteria (TSC), infrastructure security validation, evidence collection, and end-to-end audit preparation.
SOC 2 Type I与Type II合规性管理,涵盖所有信任服务准则(TSC)、基础设施安全验证、证据收集及端到端审计准备。
SOC 2 Overview
SOC 2概述
Type I vs Type II
Type I与Type II对比
| Aspect | Type I | Type II |
|---|---|---|
| Scope | Design of controls at a point in time | Design AND operating effectiveness over a period |
| Duration | Single date (snapshot) | Observation period (3-12 months, typically 6-12) |
| Cost | $20K-$60K (first audit) | $40K-$150K (first audit) |
| Timeline | 1-3 months | 6-15 months (includes observation period) |
| Customer Preference | Early-stage acceptable | Enterprise customers require |
Start with Type I to validate control design, then transition to Type II within 6 months.
| 维度 | Type I | Type II |
|---|---|---|
| 范围 | 某一时间点的控制设计情况 | 某一时间段内控制的设计及运行有效性 |
| 时长 | 单一日期(快照式) | 观察期(3-12个月,通常为6-12个月) |
| 成本 | 2万-6万美元(首次审计) | 4万-15万美元(首次审计) |
| 时间线 | 1-3个月 | 6-15个月(包含观察期) |
| 客户偏好 | 早期企业可接受 | 大型企业客户要求提供 |
先通过Type I验证控制设计,再在6个月内过渡到Type II。
Trust Services Criteria Summary
信任服务准则汇总
| Category | Focus | Controls |
|---|---|---|
| CC1-CC5 | Common Criteria (COSO-based) | Control environment, communication, risk, monitoring, control activities |
| CC6 | Logical and Physical Access | Authentication, authorization, physical security, encryption |
| CC7 | System Operations | Vulnerability management, monitoring, incident response, BCP |
| CC8 | Change Management | Authorization, testing, deployment controls |
| CC9 | Risk Mitigation | Vendor management, business disruption, risk transfer |
| A1 | Availability | Capacity planning, DR, recovery testing |
| PI1 | Processing Integrity | Data validation, error handling, reconciliation |
| C1 | Confidentiality | Classification, encryption, disposal |
| P1 | Privacy | Notice, consent, data subject rights, retention |
For detailed control requirements per category, see REFERENCE.md.
| 类别 | 关注重点 | 控制内容 |
|---|---|---|
| CC1-CC5 | 通用准则(基于COSO框架) | 控制环境、沟通、风险管理、监控、控制活动 |
| CC6 | 逻辑与物理访问 | 身份验证、授权、物理安全、加密 |
| CC7 | 系统运维 | 漏洞管理、监控、事件响应、业务连续性计划(BCP) |
| CC8 | 变更管理 | 授权、测试、部署控制 |
| CC9 | 风险缓解 | 供应商管理、业务中断应对、风险转移 |
| A1 | 可用性 | 容量规划、灾难恢复(DR)、恢复测试 |
| PI1 | 处理完整性 | 数据验证、错误处理、对账 |
| C1 | 保密性 | 分类、加密、处置 |
| P1 | 隐私性 | 通知、同意、数据主体权利、留存 |
各分类的详细控制要求,请参考REFERENCE.md。
Readiness Assessment Workflow
就绪评估工作流
The agent guides organizations through SOC 2 readiness from gap analysis through audit completion.
本工具可指导企业完成从差距分析到审计完成的SOC 2就绪全流程。
Workflow: Phase 1 -- Gap Analysis (Weeks 1-4)
工作流:第一阶段 -- 差距分析(第1-4周)
- Define scope -- determine which TSC categories to include (Security is mandatory), define system boundaries, identify subservice organizations (carve-out vs. inclusive), document principal service commitments.
- Assess current state -- inventory existing policies and procedures, map current controls to TSC requirements, interview process owners and control operators.
- Run automated gap analysis using .
scripts/soc2_readiness_checker.py - Document gaps -- missing controls, controls lacking evidence, controls not operating effectively.
- Prioritize gaps by risk level and remediation effort.
- Validation checkpoint: Gap analysis covers all in-scope TSC categories; each gap has severity rating and remediation owner assigned.
- 定义范围 -- 确定要包含的TSC类别(安全性为必填项),定义系统边界,识别子服务机构(剥离式 vs 包含式),记录主要服务承诺。
- 评估当前状态 -- 盘点现有政策与流程,将当前控制措施映射到TSC要求,访谈流程负责人与控制操作人员。
- 运行自动化差距分析,使用脚本。
scripts/soc2_readiness_checker.py - 记录差距 -- 缺失的控制措施、缺乏证据的控制措施、运行无效的控制措施。
- 优先级排序 -- 根据风险等级与整改难度对差距进行排序。
- 验证检查点:差距分析覆盖所有纳入范围的TSC类别;每个差距均已分配严重程度评级与整改负责人。
Workflow: Phase 2 -- Remediation (Weeks 5-16)
工作流:第二阶段 -- 整改(第5-16周)
- Develop/update policies -- information security policy, supporting procedures per control domain, policy review and approval workflows.
- Implement technical controls -- configure IdP with SSO/MFA enforcement, deploy endpoint security (MDM, EDR, disk encryption), implement SIEM logging and monitoring, configure backup and DR, harden cloud infrastructure.
- Establish processes -- access review procedures, change management workflow, incident response procedures, vendor management program, security awareness training.
- Set up evidence collection -- configure automated collection, establish repository structure, define refresh cadence per TSC category.
- Validation checkpoint: All identified gaps remediated; technical controls verified via ; evidence collection producing artifacts.
scripts/soc2_infrastructure_auditor.py
- 制定/更新政策 -- 信息安全政策、各控制域的配套流程、政策审核与批准工作流。
- 实施技术控制 -- 配置身份提供商(IdP)并启用SSO/MFA、部署终端安全(MDM、EDR、磁盘加密)、实施SIEM日志与监控、配置备份与灾难恢复、强化云基础设施。
- 建立流程 -- 访问审核流程、变更管理工作流、事件响应流程、供应商管理计划、安全意识培训。
- 设置证据收集机制 -- 配置自动化收集、建立存储库结构、定义各TSC类别的更新频率。
- 验证检查点:所有已识别的差距均已整改;通过验证技术控制;证据收集机制已生成相关工件。
scripts/soc2_infrastructure_auditor.py
Workflow: Phase 3 -- Pre-Audit (Weeks 17-20)
工作流:第三阶段 -- 审计前准备(第17-20周)
- Conduct internal readiness assessment -- mock audit against all in-scope TSC, validate evidence completeness and quality, run infrastructure auditor for technical validation.
- Remediate pre-audit findings -- address remaining gaps, strengthen evidence.
- Select and engage CPA firm -- negotiate scope, timeline, fees; schedule kickoff; prepare system description draft.
- Validation checkpoint: Mock audit passes with no critical gaps; system description reviewed; auditor engaged.
- 开展内部就绪评估 -- 针对所有纳入范围的TSC进行模拟审计,验证证据的完整性与质量,运行基础设施审计工具进行技术验证。
- 整改预审计发现的问题 -- 解决剩余差距,完善证据。
- 选择并接洽会计师事务所 -- 协商范围、时间线、费用;安排启动会;准备系统描述草稿。
- 验证检查点:模拟审计无关键差距通过;系统描述已审核;审计方已接洽。
Workflow: Phase 4 -- Audit Execution
工作流:第四阶段 -- 审计执行
- Type I audit (if applicable) -- auditor reviews control design; management provides assertions; address findings before Type II.
- Type II observation period (3-12 months) -- controls operate consistently, evidence collected continuously, quarterly self-assessments, regular auditor check-ins.
- Fieldwork (2-4 weeks) -- auditor selects samples, tests controls, interviews personnel; draft report review; final report issuance.
- Validation checkpoint: Clean opinion received; any findings have management response and remediation plan.
- Type I审计(如适用) -- 审计方审核控制设计;管理层提供声明;在开展Type II前解决发现的问题。
- Type II观察期(3-12个月) -- 控制措施持续稳定运行,持续收集证据,每季度进行自我评估,定期与审计方沟通。
- 现场工作(2-4周) -- 审计方选择样本、测试控制措施、访谈人员;审核报告草稿;发布最终报告。
- 验证检查点:获得无保留意见;所有发现的问题均已提供管理层回应与整改计划。
Evidence Collection Framework
证据收集框架
Evidence by TSC Category
按TSC类别划分的证据
| TSC | Evidence Type | Collection Method | Refresh |
|---|---|---|---|
| CC1 | Code of conduct acknowledgments | HR system export | Annual |
| CC2 | Security awareness training records | LMS export | Ongoing |
| CC3 | Risk assessment report, risk register | GRC platform | Annual/Quarterly |
| CC4 | Penetration test reports, vulnerability scans | Third-party/scanner | Annual/Monthly |
| CC5 | Policy documents with version history | Policy management | Annual review |
| CC6 | Access reviews, MFA enrollment, offboarding | IAM/IdP/HRIS | Quarterly/Per event |
| CC7 | Vulnerability remediation, incident records | Ticketing/ITSM | Ongoing |
| CC8 | Change tickets with approvals, code reviews | ITSM/Git | Per change |
| CC9 | Vendor risk assessments, vendor SOC 2 reports | GRC platform | Annual |
| A1 | Uptime reports, DR tests, backup logs | Monitoring/backup | Monthly/Semi-annual |
| PI1 | Data validation/reconciliation reports | Application logs | Per process |
| C1 | Data classification inventory, encryption configs | Manual/automated | Annual/Quarterly |
| P1 | PIAs, DSR response tracking | Privacy tool | Per event |
| TSC | 证据类型 | 收集方式 | 更新频率 |
|---|---|---|---|
| CC1 | 行为准则确认书 | HR系统导出 | 每年 |
| CC2 | 安全意识培训记录 | 学习管理系统(LMS)导出 | 持续进行 |
| CC3 | 风险评估报告、风险登记册 | GRC平台 | 每年/每季度 |
| CC4 | 渗透测试报告、漏洞扫描报告 | 第三方/扫描工具 | 每年/每月 |
| CC5 | 带版本历史的政策文档 | 政策管理平台 | 每年审核 |
| CC6 | 访问审核记录、MFA注册记录、离职流程记录 | IAM/IdP/HRIS | 每季度/事件触发 |
| CC7 | 漏洞整改记录、事件记录 | 工单系统/ITSM | 持续进行 |
| CC8 | 带审批的变更工单、代码评审记录 | ITSM/Git | 每次变更触发 |
| CC9 | 供应商风险评估报告、供应商SOC 2报告 | GRC平台 | 每年 |
| A1 | 正常运行时间报告、灾难恢复测试记录、备份日志 | 监控/备份系统 | 每月/每半年 |
| PI1 | 数据验证/对账报告 | 应用日志 | 每次流程触发 |
| C1 | 数据分类清单、加密配置 | 手动/自动化 | 每年/每季度 |
| P1 | 隐私影响评估(PIA)、数据主体权利(DSR)响应跟踪 | 隐私工具 | 事件触发 |
Example: Evidence Collection Command
示例:证据收集命令
bash
undefinedbash
undefinedGenerate evidence checklist for all TSC categories
为所有TSC类别生成证据清单
python scripts/evidence_collector.py --generate-checklist --categories all
python scripts/evidence_collector.py --generate-checklist --categories all
Track evidence status
跟踪证据状态
python scripts/evidence_collector.py --status evidence-tracker.json
python scripts/evidence_collector.py --status evidence-tracker.json
Update specific evidence item
更新特定证据项
python scripts/evidence_collector.py --update evidence-tracker.json
--item CC6.1-MFA --status collected
--item CC6.1-MFA --status collected
python scripts/evidence_collector.py --update evidence-tracker.json
--item CC6.1-MFA --status collected
--item CC6.1-MFA --status collected
Generate readiness dashboard
生成就绪仪表板
python scripts/evidence_collector.py --dashboard evidence-tracker.json
python scripts/evidence_collector.py --dashboard evidence-tracker.json
Export for auditor review
导出供审计方审核
python scripts/evidence_collector.py --export evidence-tracker.json --format json
undefinedpython scripts/evidence_collector.py --export evidence-tracker.json --format json
undefinedAutomation Strategies
自动化策略
GRC Platforms: Vanta, Drata, Secureframe, Laika, AuditBoard -- automated evidence collection via API integrations, continuous control monitoring, auditor collaboration portals.
Infrastructure-as-Evidence: Cloud configuration snapshots (AWS Config, Azure Policy, GCP Org Policies), Terraform state as configuration evidence, Git history as change management evidence, CI/CD pipeline logs as deployment control evidence.
GRC平台:Vanta、Drata、Secureframe、Laika、AuditBoard -- 通过API集成实现自动化证据收集、持续控制监控、审计方协作门户。
基础设施即证据:云配置快照(AWS Config、Azure Policy、GCP Org Policies)、Terraform状态作为配置证据、Git历史作为变更管理证据、CI/CD流水线日志作为部署控制证据。
Infrastructure Security Validation
基础设施安全验证
The agent validates infrastructure configurations against SOC 2 requirements.
本工具可根据SOC 2要求验证基础设施配置。
Quick Reference: Infrastructure Checks
快速参考:基础设施检查项
| Domain | Key Checks | SOC 2 Mapping |
|---|---|---|
| Cloud (AWS/Azure/GCP) | Encryption, IAM, logging, network, backup, secrets | CC6, CC7, A1, C1 |
| DNS | SPF, DKIM, DMARC, DNSSEC, CAA | CC6.6, CC2.2 |
| TLS/SSL | TLS 1.2+, AEAD ciphers, HSTS, auto-renewal | CC6.7 |
| Endpoint | MDM, disk encryption, EDR, patching, screen lock | CC6.1, CC6.8, CC7.1 |
| Network | Segmentation, WAF, DDoS, VPN/ZTNA, egress filtering | CC6.6, A1.1 |
| Container | Image scanning, minimal base, no privileged, RBAC | CC6.1, CC7.1 |
| CI/CD | Signed commits, branch protection, SAST/DAST, SBOM | CC7.1, CC8.1 |
| Secrets | Vault storage, rotation policies, git scanning | CC6.1 |
For detailed per-provider control mappings, see REFERENCE.md.
| 领域 | 关键检查项 | SOC 2映射 |
|---|---|---|
| 云(AWS/Azure/GCP) | 加密、IAM、日志、网络、备份、密钥 | CC6、CC7、A1、C1 |
| DNS | SPF、DKIM、DMARC、DNSSEC、CAA | CC6.6、CC2.2 |
| TLS/SSL | TLS 1.2+、AEAD密码套件、HSTS、自动续期 | CC6.7 |
| 终端 | MDM、磁盘加密、EDR、补丁、屏幕锁定 | CC6.1、CC6.8、CC7.1 |
| 网络 | 分段、WAF、DDoS防护、VPN/ZTNA、出站过滤 | CC6.6、A1.1 |
| 容器 | 镜像扫描、最小化基础镜像、无特权权限、RBAC | CC6.1、CC7.1 |
| CI/CD | 签名提交、分支保护、SAST/DAST、SBOM | CC7.1、CC8.1 |
| 密钥 | 保险箱存储、轮换策略、Git扫描 | CC6.1 |
各供应商的详细控制映射,请参考REFERENCE.md。
Example: Infrastructure Audit Command
示例:基础设施审计命令
bash
undefinedbash
undefinedFull infrastructure audit
完整基础设施审计
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
Audit specific domains only
仅审计特定领域
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
--domains dns tls cloud
--domains dns tls cloud
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
--domains dns tls cloud
--domains dns tls cloud
JSON output with severity ratings
带严重程度评级的JSON输出
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
Generate sample configuration template
生成示例配置模板
python scripts/soc2_infrastructure_auditor.py --generate-template
---python scripts/soc2_infrastructure_auditor.py --generate-template
---Audit Timeline
审计时间线
Typical Timeline (First SOC 2)
典型时间线(首次SOC 2审计)
| Phase | Duration | Activities |
|---|---|---|
| Scoping | 2-4 weeks | Define TSC, system boundaries, auditor selection |
| Gap Analysis | 2-4 weeks | Assess current controls, identify gaps |
| Remediation | 8-16 weeks | Implement missing controls, policies, procedures |
| Type I Audit | 2-4 weeks | Point-in-time control design assessment |
| Type II Observation | 3-12 months | Controls operate, evidence collected continuously |
| Type II Fieldwork | 2-4 weeks | Auditor testing, evidence review, interviews |
| Report Issuance | 2-4 weeks | Draft review, management response, final report |
| 阶段 | 时长 | 活动 |
|---|---|---|
| 范围界定 | 2-4周 | 定义TSC、系统边界、选择审计方 |
| 差距分析 | 2-4周 | 评估当前控制措施、识别差距 |
| 整改 | 8-16周 | 实施缺失的控制措施、政策、流程 |
| Type I审计 | 2-4周 | 某一时间点的控制设计评估 |
| Type II观察期 | 3-12个月 | 控制措施运行、持续收集证据 |
| Type II现场工作 | 2-4周 | 审计方测试、证据审核、访谈 |
| 报告发布 | 2-4周 | 草稿审核、管理层回应、最终报告发布 |
Annual Renewal
年度续期
- Begin renewal planning 3 months before observation period ends
- Maintain continuous compliance between audit periods
- Address prior-year findings before new observation period
- Bridge letters available for gaps between reports
- 在观察期结束前3个月开始续期规划
- 在审计周期之间维持持续合规
- 在新观察期开始前解决上一年度的发现问题
- 报告间隔期间的差距可使用过渡函说明
Incident Response Requirements
事件响应要求
IRP Structure
事件响应计划(IRP)结构
- Preparation -- IR team defined, communication channels established, runbooks for common incidents, legal/PR contacts on retainer.
- Detection and Analysis -- monitoring/alerting coverage, severity classification (SEV1-SEV4), triage procedures, escalation matrix.
- Containment, Eradication, Recovery -- isolate affected systems, preserve evidence, identify root cause, restore and validate.
- Post-Incident -- blameless post-mortem within 5 business days, lessons learned, control improvements, notification assessment (MTTD, MTTR, MTTC tracking).
For severity level definitions and breach notification timelines, see REFERENCE.md.
- 准备阶段 -- 定义事件响应团队、建立沟通渠道、制定常见事件的运行手册、保留法律/公关联系人。
- 检测与分析 -- 监控/告警覆盖、严重程度分类(SEV1-SEV4)、分诊流程、升级矩阵。
- 遏制、根除与恢复 -- 隔离受影响系统、保存证据、识别根本原因、恢复并验证。
- 事后阶段 -- 在5个工作日内进行无责事后复盘、总结经验教训、改进控制措施、评估通知要求(跟踪MTTD、MTTR、MTTC)。
严重程度定义与 breach 通知时间线,请参考REFERENCE.md。
Tools
工具
SOC 2 Readiness Checker
SOC 2就绪检查器
bash
undefinedbash
undefinedFull readiness assessment
完整就绪评估
python scripts/soc2_readiness_checker.py --config org-controls.json
python scripts/soc2_readiness_checker.py --config org-controls.json
JSON output for programmatic use
供程序化调用的JSON输出
python scripts/soc2_readiness_checker.py --config org-controls.json --format json
python scripts/soc2_readiness_checker.py --config org-controls.json --format json
Check specific TSC categories
检查特定TSC类别
python scripts/soc2_readiness_checker.py --config org-controls.json
--categories security availability
--categories security availability
python scripts/soc2_readiness_checker.py --config org-controls.json
--categories security availability
--categories security availability
Include cloud provider control mapping
包含云提供商控制映射
python scripts/soc2_readiness_checker.py --config org-controls.json --cloud-mapping
undefinedpython scripts/soc2_readiness_checker.py --config org-controls.json --cloud-mapping
undefinedEvidence Collector
证据收集器
bash
undefinedbash
undefinedGenerate checklist and track status
生成清单并跟踪状态
python scripts/evidence_collector.py --generate-checklist --categories all
python scripts/evidence_collector.py --status evidence-tracker.json
python scripts/evidence_collector.py --dashboard evidence-tracker.json
undefinedpython scripts/evidence_collector.py --generate-checklist --categories all
python scripts/evidence_collector.py --status evidence-tracker.json
python scripts/evidence_collector.py --dashboard evidence-tracker.json
undefinedInfrastructure Auditor
基础设施审计器
bash
undefinedbash
undefinedValidate infrastructure against SOC 2 requirements
根据SOC 2要求验证基础设施
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
---python scripts/soc2_infrastructure_auditor.py --config infra-config.json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
---References
参考文档
| Document | Description |
|---|---|
| REFERENCE.md | Detailed TSC controls, infrastructure checks, access control specs, vendor management, training, IRP, BC/DR |
| Trust Services Criteria Guide | Complete TSC reference with control objectives and audit questions |
| Infrastructure Security Controls | Cloud, DNS, TLS, endpoint, container, CI/CD security configurations |
| Audit Preparation Playbook | End-to-end audit prep guide with timelines, checklists, cost estimation |
| 文档 | 描述 |
|---|---|
| REFERENCE.md | 详细TSC控制措施、基础设施检查项、访问控制规范、供应商管理、培训、事件响应计划、业务连续性/灾难恢复 |
| Trust Services Criteria Guide | 完整TSC参考,包含控制目标与审计问题 |
| Infrastructure Security Controls | 云、DNS、TLS、终端、容器、CI/CD安全配置 |
| Audit Preparation Playbook | 端到端审计准备指南,包含时间线、清单、成本估算 |
Troubleshooting
故障排除
| Problem | Likely Cause | Resolution |
|---|---|---|
| Readiness checker scores are 0% across all categories | Controls JSON missing | Verify the input JSON maps each TSC control to a boolean value under the correct |
| Infrastructure auditor reports all checks as "fail" | Infrastructure config JSON is empty or uses wrong key names | Run |
| Evidence collector checklist missing categories | | Use |
| Evidence tracker status not updating | Tracker file path incorrect or file not writable | Verify the path passed to |
| Cloud mapping not appearing in readiness report | | Add |
| Type II observation period too short for auditor | Observation period is less than 3 months | Most CPA firms require a minimum 3-month observation period for Type II. A 6-12 month period carries more weight. Plan the observation window during the scoping phase. |
| Auditor requests evidence not in the tracker | Evidence catalog does not cover all TSC subcriteria for the selected scope | Supplement the auto-generated checklist with auditor-specific evidence requests. Each CPA firm may have additional requirements beyond the standard TSC evidence items. |
| 问题 | 可能原因 | 解决方案 |
|---|---|---|
| 就绪检查器所有类别的得分均为0% | 控制措施JSON缺失 | 验证输入JSON是否在正确的 |
| 基础设施审计器报告所有检查项均“失败” | 基础设施配置JSON为空或使用了错误的键名 | 运行 |
| 证据收集器清单缺失类别 | | 使用 |
| 证据跟踪器状态未更新 | 跟踪器文件路径错误或文件不可写 | 验证传递给 |
| 就绪报告中未显示云映射 | 未包含 | 在就绪检查器命令中添加 |
| Type II观察期过短,不满足审计方要求 | 观察期不足3个月 | 大多数会计师事务所要求Type II观察期至少为3个月。6-12个月的观察期更具分量。在范围界定阶段规划观察窗口。 |
| 审计方要求的证据未在跟踪器中 | 证据目录未覆盖所选范围的所有TSC子准则 | 用审计方特定的证据请求补充自动生成的清单。每家会计师事务所可能有超出标准TSC证据项的额外要求。 |
Success Criteria
成功标准
- SOC 2 scope defined with all applicable TSC categories selected, system boundaries documented, and subservice organizations identified (carve-out vs inclusive)
- Gap analysis completed with every identified gap assigned a severity rating, remediation owner, and target completion date
- Readiness score of 80%+ across all in-scope TSC categories before engaging the CPA firm, trending to 95%+ before Type II fieldwork
- Evidence collection framework operational with centralized repository, defined refresh cadence per TSC category, and automated collection where possible
- Infrastructure audit passes with no critical or high-severity findings in DNS, TLS, cloud, endpoint, or access control domains
- Type II observation period of at least 6 months with continuous control operation, quarterly self-assessments, and no significant control failures
- Clean SOC 2 Type II opinion received with any findings addressed by management response and documented remediation plans
- 已定义SOC 2范围,选择了所有适用的TSC类别,记录了系统边界,并识别了子服务机构(剥离式 vs 包含式)
- 已完成差距分析,每个已识别的差距均已分配严重程度评级、整改负责人与目标完成日期
- 在接洽会计师事务所前,所有纳入范围的TSC类别就绪得分达80%以上,在Type II现场工作前需达到95%以上
- 证据收集框架已投入使用,具备集中存储库、各TSC类别的更新频率定义,并尽可能实现自动化收集
- 基础设施审计通过,DNS、TLS、云、终端或访问控制领域无关键或高严重程度发现
- Type II观察期至少为6个月,控制措施持续稳定运行,每季度进行自我评估,无重大控制失败
- 获得SOC 2 Type II无保留意见,所有发现的问题均已提供管理层回应与书面整改计划
Scope & Limitations
范围与限制
In Scope:
- SOC 2 Type I and Type II readiness assessment against all TSC categories (CC1-CC9, A1, PI1, C1, P1)
- Infrastructure security validation (DNS, TLS, cloud, endpoint, network, container, CI/CD, secrets)
- Evidence collection framework generation and tracking
- Gap analysis with severity-rated findings and remediation guidance
- Audit timeline planning and CPA firm engagement preparation
- Incident response plan structure and requirements
- Continuous compliance program design
Out of Scope:
- CPA firm audit execution (the tools prepare for audit; the actual Type I/II report requires an independent CPA firm)
- SOC 1 (ICFR) assessment (SOC 1 covers financial reporting controls, not security/availability/privacy)
- SOC 3 report generation (SOC 3 is a public-facing summary derived from SOC 2; it requires a completed SOC 2 audit)
- Penetration testing execution (use infrastructure-compliance-auditor or engage a third-party pentest firm)
- GRC platform selection or implementation (the skill is compatible with Vanta, Drata, Secureframe, etc., but does not implement them)
- Legal advice on customer contractual requirements for SOC 2 reports
- Physical security assessments (the infrastructure auditor covers logical controls; physical data center audits require on-site assessment)
纳入范围:
- 针对所有TSC类别(CC1-CC9、A1、PI1、C1、P1)的SOC 2 Type I与Type II就绪评估
- 基础设施安全验证(DNS、TLS、云、终端、网络、容器、CI/CD、密钥)
- 证据收集框架生成与跟踪
- 带严重程度评级的差距分析与整改指导
- 审计时间线规划与会计师事务所接洽准备
- 事件响应计划结构与要求
- 持续合规计划设计
排除范围:
- 会计师事务所审计执行(工具仅为审计做准备;实际Type I/II报告需由独立会计师事务所出具)
- SOC 1(ICFR)评估(SOC 1涵盖财务报告控制,而非安全/可用性/隐私)
- SOC 3报告生成(SOC 3是基于SOC 2的公开摘要;需完成SOC 2审计后方可生成)
- 渗透测试执行(使用infrastructure-compliance-auditor或聘请第三方渗透测试公司)
- GRC平台选择或实施(本工具与Vanta、Drata、Secureframe等兼容,但不提供实施服务)
- 关于客户对SOC 2报告的合同要求的法律建议
- 物理安全评估(基础设施审计器仅涵盖逻辑控制;物理数据中心审计需现场评估)
Integration Points
集成点
| Skill | Integration |
|---|---|
| infrastructure-compliance-auditor | Provides Vanta-level infrastructure checks across cloud, DNS, TLS, endpoints, access controls, and CI/CD that map directly to SOC 2 TSC requirements |
| nist-csf-specialist | NIST CSF functions map to SOC 2 TSC categories; use the control mapper to build unified control matrices for organizations pursuing both |
| information-security-manager-iso27001 | ISO 27001 Annex A controls provide a management system backbone that satisfies many SOC 2 requirements; shared evidence reduces audit burden |
| pci-dss-specialist | PCI DSS requirements overlap with SOC 2 CC6 (access), CC7 (operations), CC8 (change management); shared controls for payment-processing organizations |
| gdpr-dsgvo-expert | GDPR requirements align with SOC 2 Privacy (P1) criteria; organizations processing EU personal data can leverage shared privacy controls |
| nis2-directive-specialist | NIS2 minimum security measures overlap with SOC 2 security criteria; EU entities can map shared incident response, access control, and encryption controls |
| 工具 | 集成内容 |
|---|---|
| infrastructure-compliance-auditor | 提供Vanta级别的基础设施检查,覆盖云、DNS、TLS、终端、访问控制及CI/CD,直接映射到SOC 2 TSC要求 |
| nist-csf-specialist | NIST CSF功能与SOC 2 TSC类别映射;使用控制映射器为同时追求两者的企业构建统一控制矩阵 |
| information-security-manager-iso27001 | ISO 27001附录A控制措施提供满足许多SOC 2要求的管理系统基础;共享证据可减轻审计负担 |
| pci-dss-specialist | PCI DSS要求与SOC 2 CC6(访问)、CC7(运维)、CC8(变更管理)重叠;为支付处理企业提供共享控制措施 |
| gdpr-dsgvo-expert | GDPR要求与SOC 2隐私(P1)准则对齐;处理欧盟个人数据的企业可利用共享隐私控制措施 |
| nis2-directive-specialist | NIS2最低安全措施与SOC 2安全准则重叠;欧盟实体可映射共享事件响应、访问控制与加密控制措施 |
Tool Reference
工具参考
soc2_readiness_checker.py
soc2_readiness_checker.py
Evaluates organizational controls against SOC 2 Trust Services Criteria with per-category scoring.
| Flag | Required | Description |
|---|---|---|
| Yes (or | Path to organization controls JSON file with boolean values for each TSC control |
| No | Output format: |
| No | Space-separated TSC categories to assess (e.g., |
| No | Include cloud provider (AWS/Azure/GCP) control mappings in the output |
| No | Generate a sample controls JSON template (pipe to file with |
根据SOC 2信任服务准则评估企业控制措施,提供分类得分。
| 参数 | 必填 | 描述 |
|---|---|---|
| 是(或使用 | 企业控制措施JSON文件路径,文件中需为每个TSC控制措施提供布尔值 |
| 否 | 输出格式: |
| 否 | 空格分隔的要评估的TSC类别(如 |
| 否 | 在输出中包含云提供商(AWS/Azure/GCP)控制映射 |
| 否 | 生成示例控制措施JSON模板(通过 |
evidence_collector.py
evidence_collector.py
Generates evidence collection checklists and tracks evidence gathering status.
| Flag | Required | Description |
|---|---|---|
| No | Generate an evidence collection checklist for the specified categories |
| No | Space-separated TSC categories: |
| No | Path to evidence tracker JSON file to display collection status |
| No | Path to evidence tracker JSON file to update (use with |
| No | Evidence item identifier to update (e.g., |
| No | Path to evidence tracker JSON file to generate a readiness dashboard |
| No | Path to evidence tracker JSON file to export |
| No | Export format: |
生成证据收集清单并跟踪证据收集状态。
| 参数 | 必填 | 描述 |
|---|---|---|
| 否 | 为指定类别生成证据收集清单 |
| 否 | 空格分隔的TSC类别: |
| 否 | 证据跟踪器JSON文件路径,用于显示收集状态 |
| 否 | 要更新的证据跟踪器JSON文件路径(需与 |
| 否 | 要更新的证据项标识符(如 |
| 否 | 证据跟踪器JSON文件路径,用于生成就绪仪表板 |
| 否 | 要导出的证据跟踪器JSON文件路径 |
| 否 | 导出格式: |
soc2_infrastructure_auditor.py
soc2_infrastructure_auditor.py
Audits infrastructure configurations against SOC 2 requirements with severity-rated findings.
| Flag | Required | Description |
|---|---|---|
| Yes (or | Path to infrastructure configuration JSON file with DNS, TLS, cloud, endpoint, and other domain settings |
| No | Output format: |
| No | Space-separated infrastructure domains to audit (e.g., |
| No | Generate a sample infrastructure configuration template (pipe to file with |
根据SOC 2要求审计基础设施配置,提供带严重程度评级的发现。
| 参数 | 必填 | 描述 |
|---|---|---|
| 是(或使用 | 基础设施配置JSON文件路径,包含DNS、TLS、云、终端及其他领域的设置 |
| 否 | 输出格式: |
| 否 | 空格分隔的要审计的基础设施领域(如 |
| 否 | 生成示例基础设施配置模板(通过 |