Skill de IARun auditoria PrepJurídico
When SOC 2 auditoria is 6 months out e o seu enterprise pipeline depends on o relatório, walk cada TSC control com infrastructure evidência pronto. — Claude Skill
Um Skill Claude para Claude Code por borghei — executar /soc2-compliance-expert no Claude·Atualizado em 18 de jun. de 2026·v1.0.0
Walk SOC 2 Trust Services Criteria controls com auditoria-pronto evidência.
- Covers Type I e Type II: design plus operating effectiveness over 3-12 month observation periods
- cada TSC category mapped: CC1-CC9 (common criteria), A1 (availability), PI1 (processing integrity), C1 (confidentiality), P1 (privacy)
- Infrastructure validation: cloud (AWS, GCP, Azure), DNS, TLS, endpoints, CI/CD pipelines
- auditoria evidência collection per control: logs, tickets, screenshots, política docs
- Output: lacuna analysis relatório plus remediation plano plus auditor-pronto evidência index
Para quem é
O que faz
Enterprise customer asked para SOC 2 last quarter
você promised o negócio equipa a Type I relatório by Q4. A 30-minute lacuna analysis surfaces o 12 controls that aren't designed yet, o 8 that precisar de política docs, e o 4 that precisar de infrastructure changes, com remediation timelines.
Type II observation period starts next month
você just finished Type I. o 6-month observation window starts Monday. Walk through which evidência streams precisar de automation (logs, access revê, change tickets) antes o auditor returns, what's still manual, e where o lacunas will surface.
CI/CD pipeline doesn't show change-control evidence
CC8 controls (change management) are weak. Walk o GitHub plus deploy pipeline. Surface where para add code-rever enforcement, auto-attach Jira ticket numbers para commits, e obrigatório CODEOWNERS file structure.
TLS e certificate hygiene para CC6
Logical e physical access controls (CC6.6, CC6.7) require crypto controls. auditoria o seu DNS, TLS configs, certificate expiry tracking, e encryption-at-rest evidência para get o table o auditor expects in o evidência packet.
Como funciona
1
Start com a readiness assessment: which TSC categories are in scope (most SaaS does CC1-CC9 plus A1).
2
mapear o seu atual controls per criterion. Skill walks each criterion com concrete questions.
3
Surface lacunas: controls não yet designed, designed-but-não-operating, operating-but-no-evidência.
4
para each lacuna: remediation steps, infrastructure validation pattern (cloud, DNS, TLS, endpoints, CI/CD), e target evidência.
5
Output: lacuna relatório plus remediation plano ranked by auditoria risco plus per-criterion evidência index pronto para o auditor.
Exemplo
Auditoria scope
SaaS PM tool, 280 engineers, hosted on AWS multi-region. Type II auditoria starts in 4 months. Type I relatório a partir de 2025. ISMS in place but evidência collection is manual.
30 minutes later
Readiness summary
CC1-CC5 (common criteria): 23/27 controls designed, 4 precisar de política refresh. CC6-CC9: 21 controls — strong on access controls, weak on change-management evidência (CC8.1-CC8.3). A1 (availability): 5 controls — DR runbooks exist but DR exercise log is em falta para 2024.
Top 5 audit-risk gaps
1. CC8.1 — no GitHub PR rever enforcement on infrastructure-as-code repo. 2. CC7.4 — vulnerability scan schedule is documented but evidência log não centralised. 3. CC6.8 — no automatizado utilizador-access rever cada 90 days. 4. A1.2 — DR exercise a partir de 2024 em falta post-mortem doc. 5. PI1.4 — dados-validation logic não documented per processing point.
Remediation timeline
Month 1: política e processo docs para CC8 e CC7.4. Month 2: automate CC6.8 access revê via Okta plus role exports. Month 3: run DR exercise plus write post-mortem. Month 4: dry-run auditoria walkthrough com todos evidência in one drive.
Auditor-ready evidence index
Each criterion mapeia para a folder: /soc2-evidence/CC8.1/, /CC6.8/, etc. Each folder has README.md describing o control, o evidência files, e a change log.
Métricas que melhora
Cobertura de lacunas de conformidade
Melhora Cobertura de lacunas de conformidade ao tornar o trabalho mais claro, mensurável e fácil de rever pela equipa.
JurídicoTrabalho estratégico vs reativo
Front-loads control work — moves o equipa a partir de scramble-mode in auditoria week para scheduled prep months ahead
JurídicoVisibilidade de risco de fornecedores
Melhora Visibilidade de risco de fornecedores ao tornar o trabalho mais claro, mensurável e fácil de rever pela equipa.
JurídicoFunciona com
Google Sheets
manualUsado como fonte de dados ou contexto de Google Sheets para produzir um resultado mais completo e verificável.
DocuSign CLM
manualUsado como fonte de dados ou contexto de DocuSign CLM para produzir um resultado mais completo e verificável.
Jira
manualUsado como fonte de dados ou contexto de Jira para produzir um resultado mais completo e verificável.
Notion
manualUsado como fonte de dados ou contexto de Notion para produzir um resultado mais completo e verificável.
Quer usar Especialista em Conformidade SOC 2?
Escolha como começar.
Executar no Claude Code
Gratuito. Código aberto.
Instale e execute este skill localmente no seu computador.
1
Instalar o Claude Code
Abra um terminal no seu computador e cole este comando:
2
Instalar o skill
Isto descarrega o skill com todos os ficheiros para o seu computador:
Adicione -g no fim para o tornar disponível em todos os seus projetos.
3
Ver código no GitHub Execute
Inicie o Claude Code, depois escreva o comando:
depois
SOC 2 conformidade Expert
SOC 2 Type I e Type II conformidade management covering todos Trust Services Criteria (TSC), infrastructure security validation, evidência collection, e end-para-end auditoria preparation.
SOC 2 Overview
Type I vs Type II
| Aspect | Type I | Type II |
|---|---|---|
| Scope | Design de controls at a point in time | Design AND operating effectiveness over a period |
| Duration | Single date (snapshot) | Observation period (3-12 months, typically 6-12) |
| Cost | $20K-$60K (primeiro auditoria) | $40K-$150K (primeiro auditoria) |
| Timeline | 1-3 months | 6-15 months (inclui observation period) |
| cliente Preference | Early-stage acceptable | Enterprise clientes require |
Start com Type I para validar control design, then transition para Type II dentro de 6 months.
Trust Services Criteria Summary
| Category | Focus | Controls |
|---|---|---|
| CC1-CC5 | Common Criteria (COSO-based) | Control environment, communication, risco, monitoring, control activities |
| CC6 | Logical e Physical Access | Authentication, authorization, physical security, encryption |
| CC7 | System operações | Vulnerability management, monitoring, incidente resposta, BCP |
| CC8 | Change Management | Authorization, testing, deployment controls |
| CC9 | risco mitigação | fornecedor management, business disruption, risco transfer |
| A1 | Availability | Capacity planning, DR, recovery testing |
| PI1 | Processing Integrity | dados validation, error handling, reconciliation |
| C1 | Confidentiality | Classification, encryption, disposal |
| P1 | Privacy | Notice, consent, dados subject rights, retenção |
para detailed control requirements per category, see REFERENCE.md.
Readiness Assessment workflow
o agent guides organizations through SOC 2 readiness a partir de lacuna analysis through auditoria completion.
workflow: Phase 1 -- lacuna Analysis (Weeks 1-4)
- Define scope -- determine which TSC categories para incluir (Security is mandatory), define system boundaries, identify subservice organizations (carve-out vs. inclusive), document principal service commitments.
- Assess atual declarar -- inventário existing políticas e procedures, mapear atual controls para TSC requirements, interview processo responsáveis e control operators.
- Run automatizado lacuna analysis using ¤KEEP0¤.
- Document lacunas -- em falta controls, controls lacking evidência, controls não operating effectively.
- priorizar lacunas by risco level e remediation effort.
- Validation checkpoint: lacuna analysis covers todos in-scope TSC categories; each lacuna has severidade rating e remediation responsável assigned.
workflow: Phase 2 -- Remediation (Weeks 5-16)
- Develop/update políticas -- information security política, supporting procedures per control domain, política rever e aprovação workflows.
- Implement technical controls -- configure IdP com SSO/MFA enforcement, deploy endpoint security (MDM, EDR, disk encryption), implement SIEM logging e monitoring, configure backup e DR, harden cloud infrastructure.
- Establish processos -- access rever procedures, change management workflow, incidente resposta procedures, fornecedor management program, security awareness training.
- Set up evidência collection -- configure automatizado collection, establish repository structure, define refresh cadence per TSC category.
- Validation checkpoint: todos identified lacunas remediated; technical controls verified via ¤KEEP0¤; evidência collection producing artifacts.
workflow: Phase 3 -- Pre-auditoria (Weeks 17-20)
- Conduct internal readiness assessment -- mock auditoria against todos in-scope TSC, validar evidência completeness e qualidade, run infrastructure auditor para technical validation.
- Remediate pre-auditoria findings -- address remaining lacunas, strengthen evidência.
- Select e engage CPA firm -- negotiate scope, timeline, fees; schedule kickoff; preparar system description draft.
- Validation checkpoint: Mock auditoria passes com no critical lacunas; system description reviewed; auditor engaged.
workflow: Phase 4 -- auditoria Execution
- Type I auditoria (if applicable) -- auditor revê control design; management provides assertions; address findings antes Type II.
- Type II observation period (3-12 months) -- controls operate consistently, evidência collected continuously, trimestral self-assessments, regular auditor verificar-ins.
- Fieldwork (2-4 weeks) -- auditor selects samples, tests controls, interviews personnel; draft relatório rever; final relatório issuance.
- Validation checkpoint: Clean opinion received; qualquer findings have management resposta e remediation plano.
evidência Collection Framework
evidência by TSC Category
| TSC | evidência Type | Collection Method | Refresh |
|---|---|---|---|
| CC1 | Code de conduct acknowledgments | HR system export | Annual |
| CC2 | Security awareness training records | LMS export | Ongoing |
| CC3 | risco assessment relatório, risco register | GRC platform | Annual/Quarterly |
| CC4 | Penetration test relatórios, vulnerability scans | Third-party/scanner | Annual/Monthly |
| CC5 | política documents com version history | política management | Annual rever |
| CC6 | Access revê, MFA enrollment, offboarding | IAM/IdP/HRIS | trimestral/Per evento |
| CC7 | Vulnerability remediation, incidente records | Ticketing/ITSM | Ongoing |
| CC8 | Change tickets com aprovações, code revê | ITSM/Git | Per change |
| CC9 | fornecedor risco assessments, fornecedor SOC 2 relatórios | GRC platform | Annual |
| A1 | Uptime relatórios, DR tests, backup logs | Monitoring/backup | mensal/Semi-annual |
| PI1 | dados validation/reconciliation relatórios | Application logs | Per processo |
| C1 | dados classification inventário, encryption configs | manual/automated | Annual/Quarterly |
| P1 | PIAs, DSR resposta tracking | Privacy tool | Per evento |
Example: evidência Collection Command
# gerar evidência checklist para todos TSC categories
python scripts/evidence_collector.py --generate-checklist --categories all
# Track evidência status
python scripts/evidence_collector.py --status evidence-tracker.json
# Update specific evidência item
python scripts/evidence_collector.py --update evidence-tracker.json \
--item CC6.1-MFA --status collected
# gerar readiness dashboard
python scripts/evidence_collector.py --dashboard evidence-tracker.json
# Export para auditor rever
python scripts/evidence_collector.py --export evidence-tracker.json --format json
Automation Strategies
GRC Platforms: Vanta, Drata, Secureframe, Laika, AuditBoard -- automatizado evidência collection via API integrations, continuous control monitoring, auditor collaboration portals.
Infrastructure-as-evidência: Cloud configuration snapshots (AWS Config, Azure política, GCP Org políticas), Terraform declarar as configuration evidência, Git history as change management evidência, CI/CD pipeline logs as deployment control evidência.
Infrastructure Security Validation
o agent valida infrastructure configurations against SOC 2 requirements.
Quick Reference: Infrastructure verifica
| Domain | Key verifica | SOC 2 Mapping |
|---|---|---|
| Cloud (AWS/Azure/GCP) | Encryption, IAM, logging, network, backup, secrets | CC6, CC7, A1, C1 |
| DNS | SPF, DKIM, DMARC, DNSSEC, CAA | CC6.6, CC2.2 |
| TLS/SSL | TLS 1.2+, AEAD ciphers, HSTS, auto-renewal | CC6.7 |
| Endpoint | MDM, disk encryption, EDR, patching, screen lock | CC6.1, CC6.8, CC7.1 |
| Network | Segmentation, WAF, DDoS, VPN/ZTNA, egress filtering | CC6.6, A1.1 |
| Container | Image scanning, minimal base, no privileged, RBAC | CC6.1, CC7.1 |
| CI/CD | Signed commits, branch protection, SAST/DAST, SBOM | CC7.1, CC8.1 |
| Secrets | Vault storage, rotation políticas, git scanning | CC6.1 |
para detailed per-provider control mappings, see REFERENCE.md.
Example: Infrastructure auditoria Command
# Full infrastructure auditoria
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
# auditoria specific domains only
python scripts/soc2_infrastructure_auditor.py --config infra-config.json \
--domains dns tls cloud
# JSON output com severidade ratings
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
# gerar sample configuration template
python scripts/soc2_infrastructure_auditor.py --generate-template
auditoria Timeline
Typical Timeline (primeiro SOC 2)
| Phase | Duration | Activities |
|---|---|---|
| Scoping | 2-4 weeks | Define TSC, system boundaries, auditor selection |
| lacuna Analysis | 2-4 weeks | Assess atual controls, identify lacunas |
| Remediation | 8-16 weeks | Implement em falta controls, políticas, procedures |
| Type I auditoria | 2-4 weeks | Point-in-time control design assessment |
| Type II Observation | 3-12 months | Controls operate, evidência collected continuously |
| Type II Fieldwork | 2-4 weeks | Auditor testing, evidência rever, interviews |
| relatório Issuance | 2-4 weeks | Draft rever, management resposta, final relatório |
Annual Renewal
- Begin renewal planning 3 months antes observation period ends
- Maintain continuous conformidade between auditoria periods
- Address prior-year findings antes novo observation period
- Bridge letters disponível para lacunas between relatórios
incidente resposta Requirements
IRP Structure
- Preparation -- IR equipa defined, communication channels established, runbooks para common incidentes, jurídico/PR contacts on retainer.
- Detection e Analysis -- monitoring/alerting cobertura, severidade classification (SEV1-SEV4), triagem procedures, escalamento matrix.
- Containment, Eradication, Recovery -- isolate affected systems, preserve evidência, identify root cause, restore e validar.
- Post-incidente -- blameless post-mortem dentro de 5 business days, lessons learned, control improvements, notification assessment (MTTD, MTTR, MTTC tracking).
para severidade level definitions e breach notification timelines, see REFERENCE.md.
Tools
SOC 2 Readiness Checker
# Full readiness assessment
python scripts/soc2_readiness_checker.py --config org-controls.json
# JSON output para programmatic usar
python scripts/soc2_readiness_checker.py --config org-controls.json --format json
# verificar specific TSC categories
python scripts/soc2_readiness_checker.py --config org-controls.json \
--categories security availability
# incluir cloud provider control mapping
python scripts/soc2_readiness_checker.py --config org-controls.json --cloud-mapping
evidência Collector
# gerar checklist e track status
python scripts/evidence_collector.py --generate-checklist --categories all
python scripts/evidence_collector.py --status evidence-tracker.json
python scripts/evidence_collector.py --dashboard evidence-tracker.json
Infrastructure Auditor
# validar infrastructure against SOC 2 requirements
python scripts/soc2_infrastructure_auditor.py --config infra-config.json
python scripts/soc2_infrastructure_auditor.py --config infra-config.json --format json
References
| Document | Description |
|---|---|
| REFERENCE.md | Detailed TSC controls, infrastructure verifica, access control specs, fornecedor management, training, IRP, BC/DR |
| Trust Services Criteria Guide | Complete TSC reference com control objetivos e auditoria questions |
| Infrastructure Security Controls | Cloud, DNS, TLS, endpoint, container, CI/CD security configurations |
| auditoria Preparation playbook | End-para-end auditoria prep guide com timelines, checklists, cost estimation |
Troubleshooting
| Problem | Likely Cause | resolução |
|---|---|---|
| Readiness checker pontuações are 0% across todos categories | Controls JSON em falta ¤KEEP0¤ values ou todos set para false | Verify o input JSON mapeia each TSC control para a boolean value under o correct ¤KEEP1¤. Run ¤KEEP2¤ para see o expected structure. |
| Infrastructure auditor relatórios todos verifica as "fail" | Infrastructure config JSON is empty ou usa wrong key nomeia | Run ¤KEEP0¤ para produce a valid template. Populate DNS, TLS, cloud, endpoint, e other sections com actual infrastructure declarar. |
| evidência collector checklist em falta categories | ¤KEEP0¤ assinalar filtering output | usar ¤KEEP1¤ para gerar o complete checklist. disponível categories: ¤KEEP2¤, ¤KEEP3¤, ¤KEEP4¤, ¤KEEP5¤, ¤KEEP6¤. |
| evidência tracker status não updating | Tracker file path incorrect ou file não writable | Verify o path passed para ¤KEEP0¤ ou ¤KEEP1¤ points para an existing tracker JSON file. verificar file permissions. |
| Cloud mapping não appearing in readiness relatório | ¤KEEP0¤ assinalar não included | Add ¤KEEP1¤ para o readiness checker command para incluir AWS/Azure/GCP control mappings in o output. |
| Type II observation period too short para auditor | Observation period is less than 3 months | Most CPA firms require a minimum 3-month observation period para Type II. A 6-12 month period carries more weight. plano o observation window during o scoping phase. |
| Auditor pedidos evidência não in o tracker | evidência catalog does não cover todos TSC subcriteria para o selected scope | Supplement o auto-generated checklist com auditor-specific evidência pedidos. Each CPA firm may have additional requirements beyond o standard TSC evidência items. |
Success Criteria
- SOC 2 scope defined com todos applicable TSC categories selected, system boundaries documented, e subservice organizations identified (carve-out vs inclusive)
- lacuna analysis completed com cada identified lacuna assigned a severidade rating, remediation responsável, e target completion date
- Readiness pontuação de 80%+ across todos in-scope TSC categories antes engaging o CPA firm, trending para 95%+ antes Type II fieldwork
- evidência collection framework operational com centralized repository, defined refresh cadence per TSC category, e automatizado collection where possible
- Infrastructure auditoria passes com no critical ou high-severidade findings in DNS, TLS, cloud, endpoint, ou access control domains
- Type II observation period de at least 6 months com continuous control operation, trimestral self-assessments, e no significant control failures
- Clean SOC 2 Type II opinion received com qualquer findings addressed by management resposta e documented remediation planos
Scope & Limitations
In Scope:
- SOC 2 Type I e Type II readiness assessment against todos TSC categories (CC1-CC9, A1, PI1, C1, P1)
- Infrastructure security validation (DNS, TLS, cloud, endpoint, network, container, CI/CD, secrets)
- evidência collection framework generation e tracking
- lacuna analysis com severidade-rated findings e remediation guidance
- auditoria timeline planning e CPA firm engagement preparation
- incidente resposta plano structure e requirements
- Continuous conformidade program design
Out de Scope:
- CPA firm auditoria execution (o tools preparar para auditoria; o actual Type I/II relatório requires an independent CPA firm)
- SOC 1 (ICFR) assessment (SOC 1 covers financial reporting controls, não security/availability/privacy)
- SOC 3 relatório generation (SOC 3 is a public-facing summary derived a partir de SOC 2; it requires a completed SOC 2 auditoria)
- Penetration testing execution (usar infrastructure-conformidade-auditor ou engage a third-party pentest firm)
- GRC platform selection ou implementation (o skill is compatible com Vanta, Drata, Secureframe, etc., but does não implement them)
- jurídico advice on cliente contractual requirements para SOC 2 relatórios
- Physical security assessments (o infrastructure auditor covers logical controls; physical dados center auditorias require on-site assessment)
Integration Points
| Skill | Integration |
|---|---|
| infrastructure-conformidade-auditor | Provides Vanta-level infrastructure verifica across cloud, DNS, TLS, endpoints, access controls, e CI/CD that mapear directly para SOC 2 TSC requirements |
| nist-csf-specialist | NIST CSF functions mapear para SOC 2 TSC categories; usar o control mapper para criar unified control matrices para organizations pursuing both |
| information-security-manager-iso27001 | ISO 27001 Annex A controls provide a management system backbone that satisfies many SOC 2 requirements; shared evidência reduces auditoria burden |
| pci-dss-specialist | PCI DSS requirements overlap com SOC 2 CC6 (access), CC7 (operações), CC8 (change management); shared controls para payment-processing organizations |
| gdpr-dsgvo-expert | GDPR requirements alinhar com SOC 2 Privacy (P1) criteria; organizations processing EU personal dados can leverage shared privacy controls |
| nis2-directive-specialist | NIS2 minimum security measures overlap com SOC 2 security criteria; EU entities can mapear shared incidente resposta, access control, e encryption controls |
Tool Reference
soc2_readiness_checker.py
Evaluates organizational controls against SOC 2 Trust Services Criteria com per-category scoring.
| assinalar | obrigatório | Description |
|---|---|---|
| ¤KEEP0¤ | Yes (ou ¤KEEP1¤) | Path para organization controls JSON file com boolean values para each TSC control |
| ¤KEEP0¤ | No | Output format: ¤KEEP1¤ para structured output, omit para human-readable text |
| ¤KEEP0¤ | No | Space-separated TSC categories para assess (e.g., ¤KEEP1¤). Omit para todos. |
| ¤KEEP0¤ | No | incluir cloud provider (AWS/Azure/GCP) control mappings in o output |
| ¤KEEP0¤ | No | gerar a sample controls JSON template (pipe para file com ¤KEEP1¤) |
evidence_collector.py
gera evidência collection checklists e tracks evidência gathering status.
| assinalar | obrigatório | Description |
|---|---|---|
| ¤KEEP0¤ | No | gerar an evidência collection checklist para o specified categories |
| ¤KEEP0¤ | No | Space-separated TSC categories: ¤KEEP1¤, ¤KEEP2¤, ¤KEEP3¤, ¤KEEP4¤, ¤KEEP5¤, ou ¤KEEP6¤ |
| ¤KEEP0¤ | No | Path para evidência tracker JSON file para display collection status |
| ¤KEEP0¤ | No | Path para evidência tracker JSON file para update (usar com ¤KEEP1¤ e ¤KEEP2¤) |
| ¤KEEP0¤ | No | evidência item identifier para update (e.g., ¤KEEP1¤) |
| ¤KEEP0¤ | No | Path para evidência tracker JSON file para gerar a readiness dashboard |
| ¤KEEP0¤ | No | Path para evidência tracker JSON file para export |
| ¤KEEP0¤ | No | Export format: ¤KEEP1¤ para structured output |
soc2_infrastructure_auditor.py
auditorias infrastructure configurations against SOC 2 requirements com severidade-rated findings.
| assinalar | obrigatório | Description |
|---|---|---|
| ¤KEEP0¤ | Yes (ou ¤KEEP1¤) | Path para infrastructure configuration JSON file com DNS, TLS, cloud, endpoint, e other domain settings |
| ¤KEEP0¤ | No | Output format: ¤KEEP1¤ para structured findings com severidade ratings, omit para human-readable text |
| ¤KEEP0¤ | No | Space-separated infrastructure domains para auditoria (e.g., ¤KEEP1¤). Omit para todos domains. |
| ¤KEEP0¤ | No | gerar a sample infrastructure configuration template (pipe para file com ¤KEEP1¤) |