{"id":"f5c8765c-c934-4560-9bfe-ba34c9da1a3e","shortId":"GxCBwp","kind":"skill","title":"soc2-readiness","tagline":">-","description":"# SOC 2 Readiness Assessment\n\nAssess readiness for a SOC 2 Type II audit. This skill walks through the Trust Services Criteria, identifies gaps, maps to NIST controls, and generates a prioritized remediation plan.\n\n## Security Model\n\n- **No scripts executed** — markdown-only procedural guidance\n- **No secrets required** — works with reference checklists\n- **IP-clean** — AICPA Trust Services Criteria are publicly cited; descriptions are original writing\n- **Evidence stays local** — all collection outputs go to local filesystem\n\n## When to Use\n\nActivate this skill when:\n\n1. **First SOC 2 preparation** — building controls from scratch for initial Type I or Type II\n2. **Pre-audit readiness check** — 4-8 weeks before audit window opens\n3. **Gap analysis after scope change** — new systems, services, or trust criteria added\n4. **Remediation planning** — translating audit findings into actionable work items\n5. **Dual-framework mapping** — already pursuing ISO 27001 and need SOC 2 overlap analysis\n\nDo NOT use for:\n- ISO 27001 internal audit — use `iso-27001-internal-audit`\n- Evidence collection mechanics — use `iso-27001-evidence-collection`\n- Contract review — use legal agreement skills\n\n## Core Concepts\n\n### Trust Services Criteria (TSC)\n\nSOC 2 is organized around 5 Trust Services Categories. **Security (CC)** is always in scope; others are optional based on your service:\n\n| Category | Criteria | When Required |\n|----------|----------|---------------|\n| **Security** (CC) | CC 1-9 (33 criteria) | Always required |\n| **Availability** (A) | A 1.1-1.3 (3 criteria) | SaaS with uptime SLAs |\n| **Processing Integrity** (PI) | PI 1.1-1.5 (4 criteria) | Data processing services |\n| **Confidentiality** (C) | C 1.1-1.2 (2 criteria) | Handling confidential data |\n| **Privacy** (P) | P 4-8 (7 criteria) | PII processing |\n\n### SOC 2 vs. ISO 27001\n\n| Dimension | SOC 2 | ISO 27001 |\n|-----------|-------|-----------|\n| Governing body | AICPA | ISO/IEC |\n| Geography | Primarily US/Canada | Global |\n| Type | Attestation report by CPA | Certification by audit body |\n| Scope | Service-specific | Organization-wide ISMS |\n| Controls | Flexible (you define) | 93 Annex A controls |\n| Output | SOC 2 report (restricted/general use) | Certificate |\n| Overlap | ~70% overlap with ISO 27001 Annex A | ~70% overlap with SOC 2 CC |\n\n### Decision Tree: Scope Selection\n\n```\nWhat service are you getting audited on?\n├── SaaS product → Security + Availability (+ Confidentiality if you handle sensitive data)\n├── Data processing → Security + Processing Integrity + Confidentiality\n├── Infrastructure → Security + Availability\n├── API service → Security (+ PI if you transform data)\n│\nDo you handle PII?\n├── YES → Add Privacy category\n├── NO → Skip Privacy\n│\nDo you have uptime SLAs?\n├── YES → Include Availability\n├── NO → Optional (but customers expect it for SaaS)\n```\n\n## Step-by-Step Workflow\n\n### Step 1: Define Scope and Categories\n\n1. **Identify the service** being audited (product name, description, boundaries)\n2. **Select Trust Services Categories** using the decision tree above\n3. **Define system boundaries**: infrastructure, software, people, procedures, data\n4. **Document sub-service organizations** (cloud providers, payment processors, etc.)\n5. **Determine audit type**: Type I (point-in-time) or Type II (period of time, usually 6-12 months)\n\n### Step 2: Assess Current State\n\nFor each applicable Common Criterion (CC), assess whether controls are:\n- **Designed** — control exists on paper\n- **Implemented** — control is operating\n- **Effective** — control achieves its objective (evidence exists)\n\n```\n# If Internal ISO Audit MCP server is available (SOC 2 maps to ISO 27001 Annex A):\nlist_controls(domain=\"technological\")                       # List tech controls (maps to CC 6-8)\nget_control_guidance(control_id=\"A.5.15\")                   # Get guidance for ISO control mapped from CC 6.1\nget_nist_mapping(control_id=\"AC-2\", direction=\"nist_to_iso\")  # Find ISO controls from NIST reference\nsearch_guidance(query=\"incident response\")                  # Search for controls matching SOC 2 criteria\n```\n\n### Step 3: Map Controls to Criteria\n\nEach CC maps to specific NIST controls. Use this mapping to identify what you need:\n\n#### CC 1 — Control Environment\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 1.1 | Integrity and ethics | PS-1, PS-3, PS-6 | A.6.1, A.6.2, A.6.4 |\n| CC 1.2 | Board oversight | PM-1, PM-2 | C.5.1, C.5.3 |\n| CC 1.3 | Organizational structure | PM-2 | C.5.3 |\n| CC 1.4 | Competence commitment | AT-2, PS-3 | A.6.1, A.6.3 |\n| CC 1.5 | Accountability | PS-3, PS-4 | A.6.4, A.6.5 |\n\n#### CC 2 — Communication and Information\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 2.1 | Internal information | AU-2, SI-5 | C.7.5.1 |\n| CC 2.2 | Internal communication | PM-2, AT-2 | C.7.4, A.6.3 |\n| CC 2.3 | External communication | PM-1 | A.5.14 |\n\n#### CC 3 — Risk Assessment\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 3.1 | Risk objectives | PM-9, RA-1 | C.6.1.1 |\n| CC 3.2 | Risk identification | RA-3 | C.6.1.2, C.8.2 |\n| CC 3.3 | Fraud risk | RA-3 | C.6.1.2 |\n| CC 3.4 | Change impact | RA-3, CM-4 | C.6.1.2, A.8.9 |\n\n#### CC 4 — Monitoring Activities\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 4.1 | Ongoing monitoring | CA-7, PM-6 | C.9.1 |\n| CC 4.2 | Deficiency evaluation | CA-2 | C.9.2.1 |\n\n#### CC 5 — Control Activities\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 5.1 | Risk mitigation | AC-5 | A.5.3 |\n| CC 5.2 | Technology controls | AC-1, IA-2 | A.5.15, A.8.5 |\n| CC 5.3 | Policy deployment | PM-1, PL-1 | A.5.1, C.5.2 |\n\n#### CC 6 — Logical and Physical Access\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 6.1 | Access control | AC-2, AC-3, IA-2, SC-28 | A.5.15, A.8.5, A.8.24 |\n| CC 6.2 | Access provisioning | AC-2, PS-4, PS-5 | A.5.18, A.6.5 |\n| CC 6.3 | Access modification | AC-2, AC-6 | A.5.15, A.5.18 |\n| CC 6.4 | Physical access | PE-2, PE-3, PE-6 | A.7.2, A.7.4 |\n| CC 6.5 | Asset disposal | MP-6 | A.7.10, A.7.14 |\n| CC 6.6 | Threat detection | RA-5, SI-4 | A.8.8, A.8.16 |\n| CC 6.7 | Transmission security | SC-8 | A.5.14, A.8.24 |\n| CC 6.8 | Malware prevention | SI-2, SI-3 | A.8.7, A.8.19 |\n\n#### CC 7 — System Operations\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 7.1 | Operational monitoring | CM-6, RA-5 | A.8.9, A.8.8 |\n| CC 7.2 | Anomaly detection | AU-6, SI-4 | A.8.15, A.8.16 |\n| CC 7.3 | Incident response | IR-4 | A.5.24, A.5.25 |\n| CC 7.4 | Incident management | IR-5, IR-6 | A.5.25, A.5.26 |\n| CC 7.5 | Recovery | CP-4, CP-9, CP-10 | A.5.30, A.8.13 |\n\n#### CC 8 — Change Management\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 8.1 | Change control | CM-3, CM-5, SA-3 | A.8.9, A.8.25, A.8.32 |\n\n#### CC 9 — Risk Mitigation\n\n| Criterion | Focus | NIST Controls | ISO Cross-Reference |\n|-----------|-------|---------------|---------------------|\n| CC 9.1 | Risk mitigation | CP-2, RA-7 | A.5.30, C.6.1.3 |\n| CC 9.2 | Vendor management | AC-20, SA-9 | A.5.19, A.5.22 |\n\n### Step 4: Generate Gap Analysis\n\nFor each criterion, document:\n\n```markdown\n## Gap: [CC x.x] — [Brief description]\n\n**Current State**: [What exists today]\n**Required State**: [What the auditor expects]\n**Gap**: [What's missing]\n**Remediation**:\n1. [Specific action item]\n2. [Specific action item]\n**Priority**: Critical / High / Medium / Low\n**Effort**: [Days/weeks to remediate]\n**Owner**: [Person responsible]\n**Evidence Needed**: [What to collect after fix]\n```\n\n### Step 5: Build Remediation Plan\n\nPrioritize gaps by:\n1. **Critical** — Audit will fail without this (CC 6.1, 6.2, 7.2, 7.5, 8.1)\n2. **High** — Likely finding if not addressed (CC 1.4, 3.2, 6.6, 7.3)\n3. **Medium** — Auditor will note but may not be a finding\n4. **Low** — Best practice, not strictly required\n\n### Step 6: Readiness Report\n\nGenerate a structured readiness assessment:\n\n1. **Executive summary** — overall readiness percentage, estimated time to audit-ready\n2. **Scope** — service description, trust categories, audit type\n3. **Control matrix** — all applicable criteria with status (designed/implemented/effective)\n4. **Gap analysis** — prioritized list of gaps with remediation plan\n5. **Timeline** — remediation milestones leading to audit window\n\n## Quick Reference: Top SOC 2 Failures\n\n| # | Criterion | Common Failure | Fix |\n|---|-----------|---------------|-----|\n| 1 | CC 6.1 | MFA not universal | Enforce MFA on all systems with sensitive data |\n| 2 | CC 6.2 | Access not revoked on termination | Automate deprovisioning; verify within 24h |\n| 3 | CC 7.2 | No log monitoring | Configure alerts for auth failures, privilege changes |\n| 4 | CC 8.1 | No change management | Require PR reviews; document deployment process |\n| 5 | CC 7.5 | Backups never tested | Restore from backup quarterly; document results |\n| 6 | CC 3.2 | No risk assessment | Conduct and document annual risk assessment |\n| 7 | CC 6.6 | No vulnerability scanning | Deploy automated scanning; remediate criticals in 30d |\n| 8 | CC 1.4 | Security training incomplete | Require annual training; track completion |\n| 9 | CC 9.2 | Vendor risk not assessed | Maintain vendor register; collect SOC 2 reports |\n| 10 | CC 7.3 | No incident response plan | Document plan; conduct tabletop exercise |\n\n## DO / DON'T\n\n### DO\n- Start with Security (CC) criteria — they're always required and cover ~80% of effort\n- Map to ISO 27001 if pursuing both frameworks — ~70% control overlap\n- Collect evidence throughout the audit period, not just at audit time\n- Include sub-service organizations in your description\n- Define the audit period before starting evidence collection\n\n### DON'T\n- Include trust categories you can't support — better to pass on fewer than fail on more\n- Assume Type I is \"easy\" — it requires all controls to be designed and implemented\n- Forget the system description — auditors review this first and use it to scope their testing\n- Use generic/template control descriptions — auditors expect your controls to match your actual environment\n- Ignore complementary user entity controls (CUECs) — your customers need to know their responsibilities\n\n## Troubleshooting\n\n| Problem | Solution |\n|---------|----------|\n| First SOC 2, no existing controls | Start with CC 6 (access) and CC 8 (change management) — fastest to implement |\n| Already have ISO 27001 | Map Annex A controls to SOC 2 CC; ~70% are already covered |\n| Auditor requests evidence we don't have | Collect it now; document the process; note in description if control was implemented mid-period |\n| Multiple environments (prod/staging/dev) | Only production environment needs to be in scope; document boundaries clearly |\n| Sub-service org (AWS/GCP/Azure) | Use SOC 2 Type II report from the provider; document which controls they cover |\n\n## Rules\n\nFor detailed SOC 2-specific guidance:\n\n| File | Coverage |\n|------|----------|\n| `rules/logical-access.md` | CC 6.1–6.8 — access control, provisioning, physical, threat detection |\n| `rules/system-operations.md` | CC 7.1–7.5 — monitoring, anomaly detection, incident response, recovery |\n| `rules/change-vendor-management.md` | CC 8.1, CC 9.1–9.2 — change control, risk mitigation, vendor management |\n| `rules/control-environment.md` | CC 1.1–1.5 — governance, ethics, org structure, competence, accountability |\n| `rules/risk-assessment.md` | CC 3.1–3.4 — risk objectives, identification, fraud risk, change impact |\n| `rules/control-activities.md` | CC 5.1–5.3 — risk mitigation selection, technology controls, policy deployment |\n| `rules/communication-info.md` | CC 2.1–2.3 — internal/external communication, information quality |\n| `rules/monitoring-activities.md` | CC 4.1–4.2 — ongoing monitoring, deficiency evaluation |\n| `rules/optional-categories.md` | A 1.x, PI 1.x, C 1.x — Availability, Processing Integrity, Confidentiality |\n| `rules/privacy-criteria.md` | P 1.x–8.x — Privacy criteria (when PII in scope) |\n\n## Attribution\n\nSOC 2 criteria mapping and readiness procedures developed with [Internal ISO Audit](https://internalisoaudit.com) (Hazel Castro, ISO 27001 Lead Auditor, 14+ years, 100+ audits).\n\n## Runtime Detection\n\n1. **Internal ISO Audit MCP server available** (best) — Live ISO 27001 control guidance with NIST cross-references. SOC 2 criteria map to ISO 27001 Annex A controls (~70% overlap); use `get_nist_mapping` for bidirectional lookup. Server: `internalisoaudit.com/api/mcp`\n2. **Local compliance data available** (good) — Reads `compliance/` directory with SOC 2 test metadata\n3. **Reference only** (baseline) — Uses embedded criteria mapping and checklists in `rules/`\n\n## Connectors\n\nFor Internal ISO Audit MCP server setup, see [CONNECTORS.md](./CONNECTORS.md).","tags":["soc2","readiness","open","agreements","open-agreements","agent-skills","anthropic","claude","claude-code","claude-code-cli","claude-code-commands","claude-code-plugin"],"capabilities":["skill","source-open-agreements","skill-soc2-readiness","topic-agent-skills","topic-anthropic","topic-claude","topic-claude-code","topic-claude-code-cli","topic-claude-code-commands","topic-claude-code-plugin","topic-claude-code-plugins","topic-claude-code-skills","topic-claude-code-subagents","topic-claude-skills","topic-contract-automation"],"categories":["open-agreements"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/open-agreements/open-agreements/soc2-readiness","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add open-agreements/open-agreements","source_repo":"https://github.com/open-agreements/open-agreements","install_from":"skills.sh"}},"qualityScore":"0.465","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 31 github stars · SKILL.md body (13,277 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T06:57:03.535Z","embedding":null,"createdAt":"2026-04-18T22:22:49.596Z","updatedAt":"2026-05-01T06:57:03.535Z","lastSeenAt":"2026-05-01T06:57:03.535Z","tsv":"'-1':605,618,686,707,786,796,798 '-1.2':248 '-1.3':226 '-1.5':238 '-10':958 '-12':461 '-2':543,620,628,635,667,676,678,760,788,820,824,835,847,857,895,1003 '-20':1013 '-27001':162,171 '-28':826 '-3':607,637,644,714,722,729,822,859,897,978,982 '-4':646,731,837,879,929,937,954 '-5':669,779,839,877,919,945,980 '-6':609,753,849,861,869,917,927,947 '-7':751,1005 '-8':108,258,521,887 '-9':217,705,956,1015 '/api/mcp':1723 '/connectors.md':1760 '1':85,216,398,403,588,1049,1084,1136,1193,1633,1636,1639,1647,1683 '1.1':225,237,247,600,1585 '1.2':614 '1.3':624 '1.4':631,1105,1284 '1.5':641,1586 '10':1307 '100':1679 '14':1677 '2':5,13,88,101,149,188,249,264,270,308,325,413,464,503,564,650,1053,1097,1148,1187,1207,1305,1453,1480,1530,1546,1659,1702,1724,1735 '2.1':663,1617 '2.2':672 '2.3':682,1618 '24h':1219 '27001':145,157,267,272,318,507,1340,1473,1674,1693,1707 '3':114,227,423,567,689,1109,1156,1220,1738 '3.1':701,1595 '3.2':710,1106,1259 '3.3':718 '3.4':725,1596 '30d':1281 '33':218 '4':107,127,239,257,432,735,1019,1120,1165,1233 '4.1':747,1625 '4.2':756,1626 '5':137,192,443,763,1077,1175,1245 '5.1':775,1606 '5.2':782 '5.3':792,1607 '6':460,520,802,1128,1257,1460 '6.1':536,816,1092,1195,1553 '6.2':831,1093,1209 '6.3':843 '6.4':853 '6.5':865 '6.6':873,1107,1271 '6.7':883 '6.8':891,1554 '7':259,901,1269 '7.1':913,1563 '7.2':923,1094,1222 '7.3':933,1108,1309 '7.4':941 '7.5':951,1095,1247,1564 '70':314,321,1345,1482,1711 '8':962,1282,1464,1649 '8.1':974,1096,1235,1573 '80':1334 '9':987,1293 '9.1':999,1575 '9.2':1009,1295,1576 '93':302 'a.5.1':799 'a.5.14':687,888 'a.5.15':527,789,827,850 'a.5.18':840,851 'a.5.19':1016 'a.5.22':1017 'a.5.24':938 'a.5.25':939,948 'a.5.26':949 'a.5.3':780 'a.5.30':959,1006 'a.6.1':610,638 'a.6.2':611 'a.6.3':639,680 'a.6.4':612,647 'a.6.5':648,841 'a.7.10':870 'a.7.14':871 'a.7.2':862 'a.7.4':863 'a.8.13':960 'a.8.15':930 'a.8.16':881,931 'a.8.19':899 'a.8.24':829,889 'a.8.25':984 'a.8.32':985 'a.8.5':790,828 'a.8.7':898 'a.8.8':880,921 'a.8.9':733,920,983 'ac':542,778,785,819,821,834,846,848,1012 'access':806,817,832,844,855,1210,1461,1555 'account':642,1592 'achiev':489 'action':134,1051,1055 'activ':81,737,765 'actual':1433 'ad':126 'add':370 'address':1103 'agreement':179 'aicpa':57,275 'alert':1227 'alreadi':142,1470,1484 'alway':199,220,1330 'analysi':116,151,1022,1167 'annex':303,319,508,1475,1708 'annual':1266,1289 'anomali':924,1566 'api':357 'applic':470,1160 'around':191 'assess':7,8,465,474,691,1135,1262,1268,1299 'asset':866 'assum':1393 'attest':282 'attribut':1657 'au':666,926 'audit':16,104,111,131,159,165,288,336,408,445,497,1086,1146,1154,1181,1352,1357,1369,1669,1680,1686,1754 'audit-readi':1145 'auditor':1042,1111,1411,1426,1486,1676 'auth':1229 'autom':1215,1276 'avail':222,341,356,383,501,1641,1689,1728 'aws/gcp/azure':1527 'backup':1248,1253 'base':205 'baselin':1741 'best':1122,1690 'better':1384 'bidirect':1718 'board':615 'bodi':274,289 'boundari':412,426,1521 'brief':1031 'build':90,1078 'c':245,246,1638 'c.5.1':621 'c.5.2':800 'c.5.3':622,629 'c.6.1.1':708 'c.6.1.2':715,723,732 'c.6.1.3':1007 'c.7.4':679 'c.7.5.1':670 'c.8.2':716 'c.9.1':754 'c.9.2.1':761 'ca':750,759 'castro':1672 'categori':195,209,372,402,417,1153,1379 'cc':197,214,215,326,473,519,535,573,587,599,613,623,630,640,649,662,671,681,688,700,709,717,724,734,746,755,762,774,781,791,801,815,830,842,852,864,872,882,890,900,912,922,932,940,950,961,973,986,998,1008,1029,1091,1104,1194,1208,1221,1234,1246,1258,1270,1283,1294,1308,1326,1459,1463,1481,1552,1562,1572,1574,1584,1594,1605,1616,1624 'certif':286,312 'chang':119,726,963,975,1232,1237,1465,1577,1602 'check':106 'checklist':53,1747 'cite':63 'clean':56 'clear':1522 'cloud':438 'cm':730,916,977,979 'collect':72,167,174,1073,1303,1348,1374,1493 'commit':633 'common':471,1190 'communic':651,674,684,1620 'compet':632,1591 'complementari':1436 'complet':1292 'complianc':1726,1731 'concept':182 'conduct':1263,1316 'confidenti':244,252,342,353,1644 'configur':1226 'connector':1750 'connectors.md':1759 'contract':175 'control':30,91,298,305,476,479,484,488,511,516,523,525,532,540,550,561,569,578,589,594,657,695,741,764,769,784,810,818,907,968,976,993,1157,1346,1401,1424,1429,1439,1456,1477,1503,1539,1556,1578,1612,1694,1710 'core':181 'cover':1333,1485,1541 'coverag':1550 'cp':953,955,957,1002 'cpa':285 'criteria':24,60,125,185,210,219,228,240,250,260,565,571,1161,1327,1652,1660,1703,1744 'criterion':472,591,654,692,738,766,807,904,965,990,1025,1189 'critic':1058,1085,1279 'cross':597,660,698,744,772,813,910,971,996,1699 'cross-refer':596,659,697,743,771,812,909,970,995,1698 'cuec':1440 'current':466,1033 'custom':387,1442 'data':241,253,347,348,364,431,1206,1727 'days/weeks':1063 'decis':327,420 'defici':757,1629 'defin':301,399,424,1367 'deploy':794,1243,1275,1614 'deprovis':1216 'descript':64,411,1032,1151,1366,1410,1425,1501 'design':478,1404 'designed/implemented/effective':1164 'detail':1544 'detect':875,925,1560,1567,1682 'determin':444 'develop':1665 'dimens':268 'direct':544 'directori':1732 'dispos':867 'document':433,1026,1242,1255,1265,1314,1496,1520,1537 'domain':512 'dual':139 'dual-framework':138 'easi':1397 'effect':487 'effort':1062,1336 'embed':1743 'enforc':1199 'entiti':1438 'environ':590,1434,1510,1514 'estim':1142 'etc':442 'ethic':603,1588 'evalu':758,1630 'evid':68,166,173,492,1069,1349,1373,1488 'evidence-collect':172 'execut':41,1137 'exercis':1318 'exist':480,493,1036,1455 'expect':388,1043,1427 'extern':683 'fail':1088,1390 'failur':1188,1191,1230 'fastest':1467 'fewer':1388 'file':1549 'filesystem':77 'find':132,548,1100,1119 'first':86,1414,1451 'fix':1075,1192 'flexibl':299 'focus':592,655,693,739,767,808,905,966,991 'forget':1407 'framework':140,1344 'fraud':719,1600 'gap':26,115,1021,1028,1044,1082,1166,1171 'generat':32,1020,1131 'generic/template':1423 'geographi':277 'get':335,522,528,537,1714 'global':280 'go':74 'good':1729 'govern':273,1587 'guidanc':46,524,529,555,1548,1695 'handl':251,345,367 'hazel':1671 'high':1059,1098 'ia':787,823 'id':526,541 'identif':712,1599 'identifi':25,404,583 'ignor':1435 'ii':15,100,455,1532 'impact':727,1603 'implement':483,1406,1469,1505 'incid':557,934,942,1311,1568 'includ':382,1359,1377 'incomplet':1287 'inform':653,665,1621 'infrastructur':354,427 'initi':95 'integr':234,352,601,1643 'intern':158,164,495,664,673,1667,1684,1752 'internal-audit':163 'internal/external':1619 'internalisoaudit.com':1670,1722 'internalisoaudit.com/api/mcp':1721 'ip':55 'ip-clean':54 'ir':936,944,946 'ism':297 'iso':144,156,161,170,266,271,317,496,506,531,547,549,595,658,696,742,770,811,908,969,994,1339,1472,1668,1673,1685,1692,1706,1753 'iso/iec':276 'item':136,1052,1056 'know':1445 'lead':1179,1675 'legal':178 'like':1099 'list':510,514,1169 'live':1691 'local':70,76,1725 'log':1224 'logic':803 'lookup':1719 'low':1061,1121 'maintain':1300 'malwar':892 'manag':943,964,1011,1238,1466,1582 'map':27,141,504,517,533,539,568,574,581,1337,1474,1661,1704,1716,1745 'markdown':43,1027 'markdown-on':42 'match':562,1431 'matrix':1158 'may':1115 'mcp':498,1687,1755 'mechan':168 'medium':1060,1110 'metadata':1737 'mfa':1196,1200 'mid':1507 'mid-period':1506 'mileston':1178 'miss':1047 'mitig':777,989,1001,1580,1609 'model':38 'modif':845 'monitor':736,749,915,1225,1565,1628 'month':462 'mp':868 'multipl':1509 'name':410 'need':147,586,1070,1443,1515 'never':1249 'new':120 'nist':29,538,545,552,577,593,656,694,740,768,809,906,967,992,1697,1715 'note':1113,1499 'object':491,703,1598 'ongo':748,1627 'open':113 'oper':486,903,914 'option':204,385 'org':1526,1589 'organ':190,295,437,1363 'organiz':625 'organization-wid':294 'origin':66 'other':202 'output':73,306 'overal':1139 'overlap':150,313,315,322,1347,1712 'oversight':616 'owner':1066 'p':255,256,1646 'paper':482 'pass':1386 'payment':440 'pe':856,858,860 'peopl':429 'percentag':1141 'period':456,1353,1370,1508 'person':1067 'physic':805,854,1558 'pi':235,236,360,1635 'pii':261,368,1654 'pl':797 'plan':36,129,1080,1174,1313,1315 'pm':617,619,627,675,685,704,752,795 'point':450 'point-in-tim':449 'polici':793,1613 'pr':1240 'practic':1123 'pre':103 'pre-audit':102 'prepar':89 'prevent':893 'primarili':278 'priorit':34,1081,1168 'prioriti':1057 'privaci':254,371,375,1651 'privileg':1231 'problem':1449 'procedur':45,430,1664 'process':233,242,262,349,351,1244,1498,1642 'processor':441 'prod/staging/dev':1511 'product':339,409,1513 'provid':439,1536 'provis':833,1557 'ps':604,606,608,636,643,645,836,838 'public':62 'pursu':143,1342 'qualiti':1622 'quarter':1254 'queri':556 'quick':1183 'ra':706,713,721,728,876,918,1004 're':1329 'read':1730 'readi':3,6,9,105,1129,1134,1140,1147,1663 'recoveri':952,1570 'refer':52,553,598,661,699,745,773,814,911,972,997,1184,1700,1739 'regist':1302 'remedi':35,128,1048,1065,1079,1173,1177,1278 'report':283,309,1130,1306,1533 'request':1487 'requir':49,212,221,1038,1126,1239,1288,1331,1399 'respons':558,935,1068,1312,1447,1569 'restor':1251 'restricted/general':310 'result':1256 'review':176,1241,1412 'revok':1212 'risk':690,702,711,720,776,988,1000,1261,1267,1297,1579,1597,1601,1608 'rule':1542,1749 'rules/change-vendor-management.md':1571 'rules/communication-info.md':1615 'rules/control-activities.md':1604 'rules/control-environment.md':1583 'rules/logical-access.md':1551 'rules/monitoring-activities.md':1623 'rules/optional-categories.md':1631 'rules/privacy-criteria.md':1645 'rules/risk-assessment.md':1593 'rules/system-operations.md':1561 'runtim':1681 'sa':981,1014 'saa':229,338,391 'sc':825,886 'scan':1274,1277 'scope':118,201,290,329,400,1149,1419,1519,1656 'scratch':93 'script':40 'search':554,559 'secret':48 'secur':37,196,213,340,350,355,359,885,1285,1325 'see':1758 'select':330,414,1610 'sensit':346,1205 'server':499,1688,1720,1756 'servic':23,59,122,184,194,208,243,292,332,358,406,416,436,1150,1362,1525 'service-specif':291 'setup':1757 'si':668,878,894,896,928 'skill':18,83,180 'skill-soc2-readiness' 'skip':374 'slas':232,380 'soc':4,12,87,148,187,263,269,307,324,502,563,1186,1304,1452,1479,1529,1545,1658,1701,1734 'soc2':2 'soc2-readiness':1 'softwar':428 'solut':1450 'source-open-agreements' 'specif':293,576,1050,1054,1547 'start':1323,1372,1457 'state':467,1034,1039 'status':1163 'stay':69 'step':393,395,397,463,566,1018,1076,1127 'step-by-step':392 'strict':1125 'structur':626,1133,1590 'sub':435,1361,1524 'sub-servic':434,1360,1523 'summari':1138 'support':1383 'system':121,425,902,1203,1409 'tabletop':1317 'tech':515 'technolog':513,783,1611 'termin':1214 'test':1250,1421,1736 'threat':874,1559 'throughout':1350 'time':452,458,1143,1358 'timelin':1176 'today':1037 'top':1185 'topic-agent-skills' 'topic-anthropic' 'topic-claude' 'topic-claude-code' 'topic-claude-code-cli' 'topic-claude-code-commands' 'topic-claude-code-plugin' 'topic-claude-code-plugins' 'topic-claude-code-skills' 'topic-claude-code-subagents' 'topic-claude-skills' 'topic-contract-automation' 'track':1291 'train':1286,1290 'transform':363 'translat':130 'transmiss':884 'tree':328,421 'troubleshoot':1448 'trust':22,58,124,183,193,415,1152,1378 'tsc':186 'type':14,96,99,281,446,447,454,1155,1394,1531 'univers':1198 'uptim':231,379 'us/canada':279 'use':80,154,160,169,177,311,418,579,1416,1422,1528,1713,1742 'user':1437 'usual':459 'vendor':1010,1296,1301,1581 'verifi':1217 'vs':265 'vulner':1273 'walk':19 'week':109 'whether':475 'wide':296 'window':112,1182 'within':1218 'without':1089 'work':50,135 'workflow':396 'write':67 'x':1634,1637,1640,1648,1650 'x.x':1030 'year':1678 'yes':369,381","prices":[{"id":"d7e65eb1-b6bb-456b-935f-e7c8ed84baa7","listingId":"f5c8765c-c934-4560-9bfe-ba34c9da1a3e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"open-agreements","category":"open-agreements","install_from":"skills.sh"},"createdAt":"2026-04-18T22:22:49.596Z"}],"sources":[{"listingId":"f5c8765c-c934-4560-9bfe-ba34c9da1a3e","source":"github","sourceId":"open-agreements/open-agreements/soc2-readiness","sourceUrl":"https://github.com/open-agreements/open-agreements/tree/main/skills/soc2-readiness","isPrimary":false,"firstSeenAt":"2026-04-18T22:22:49.596Z","lastSeenAt":"2026-05-01T06:57:03.535Z"}],"details":{"listingId":"f5c8765c-c934-4560-9bfe-ba34c9da1a3e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"open-agreements","slug":"soc2-readiness","github":{"repo":"open-agreements/open-agreements","stars":31,"topics":["agent-skills","anthropic","claude","claude-code","claude-code-cli","claude-code-commands","claude-code-plugin","claude-code-plugins","claude-code-skills","claude-code-subagents","claude-skills","contract-automation","docx","gemini-cli-extension","legal-tech","legal-templates","nda-template","open-source-legal","safe-template"],"license":"mit","html_url":"https://github.com/open-agreements/open-agreements","pushed_at":"2026-04-30T21:31:08Z","description":"Fill standard legal agreement templates and produce signable DOCX files. 25 templates covering NDAs, cloud terms, SAFEs, and NVCA financing documents.","skill_md_sha":"25eec0716ce13566f3a727ed3609be72c8362e07","skill_md_path":"skills/soc2-readiness/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/open-agreements/open-agreements/tree/main/skills/soc2-readiness"},"layout":"multi","source":"github","category":"open-agreements","frontmatter":{"name":"soc2-readiness","license":"MIT","description":">-","compatibility":">-"},"skills_sh_url":"https://skills.sh/open-agreements/open-agreements/soc2-readiness"},"updatedAt":"2026-05-01T06:57:03.535Z"}}