Agent skill

soc2-compliance-automator

SOC 2 Trust Services Criteria compliance automation for evidence collection, control mapping, and audit preparation

View SKILL.md on GitHub Repository
Stars 514
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/soc2-compliance-automator

SKILL.md

SOC 2 Compliance Automator Skill

Purpose

Automate SOC 2 Trust Services Criteria (TSC) compliance activities including control mapping, evidence collection, audit preparation, and continuous compliance monitoring.

Capabilities

Control Mapping

  • Map organizational controls to SOC 2 TSC requirements
  • Cover all five Trust Services Categories:
    • Security (Common Criteria)
    • Availability
    • Processing Integrity
    • Confidentiality
    • Privacy
  • Generate control matrices with evidence requirements
  • Identify control gaps and coverage

Evidence Collection

  • Automate evidence gathering from cloud providers
  • Collect access control configurations (IAM, RBAC)
  • Capture security configurations and policies
  • Document change management processes
  • Archive audit logs and monitoring data
  • Screenshot automation for manual controls

Audit Preparation

  • Generate Type I and Type II audit packages
  • Prepare management assertion documents
  • Create system description documents
  • Organize evidence by control objective
  • Generate auditor-ready reports

Control Effectiveness Tracking

  • Monitor control implementation status
  • Track control testing results
  • Document control exceptions
  • Manage remediation activities
  • Calculate compliance scores

Continuous Compliance

  • Monitor control drift and changes
  • Alert on compliance deviations
  • Track evidence freshness
  • Generate compliance dashboards
  • Automate periodic control testing

Trust Services Categories

CC - Common Criteria (Security)

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

A - Availability

  • System availability commitments
  • Disaster recovery and business continuity
  • Capacity planning and monitoring

PI - Processing Integrity

  • Data processing accuracy
  • Completeness and timeliness
  • Error handling procedures

C - Confidentiality

  • Data classification
  • Encryption requirements
  • Access restrictions

P - Privacy

  • Privacy notice and consent
  • Data subject rights
  • Data retention and disposal

Integrations

  • Vanta: Automated security and compliance
  • Drata: Continuous compliance automation
  • Secureframe: Security compliance platform
  • AWS/Azure/GCP APIs: Cloud configuration evidence
  • Identity Providers: Access control evidence
  • SIEM Systems: Log and monitoring evidence

Target Processes

  • SOC 2 Compliance Audit Preparation
  • Continuous Compliance Monitoring
  • Security Control Assessment
  • Audit Readiness Review

Input Schema

json
{
  "type": "object",
  "properties": {
    "auditType": {
      "type": "string",
      "enum": ["Type1", "Type2"],
      "description": "SOC 2 audit type"
    },
    "trustCategories": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["Security", "Availability", "ProcessingIntegrity", "Confidentiality", "Privacy"]
      }
    },
    "auditPeriod": {
      "type": "object",
      "properties": {
        "startDate": { "type": "string", "format": "date" },
        "endDate": { "type": "string", "format": "date" }
      }
    },
    "cloudProviders": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["AWS", "Azure", "GCP"]
      }
    },
    "controlMatrix": {
      "type": "string",
      "description": "Path to existing control matrix"
    },
    "evidenceBasePath": {
      "type": "string",
      "description": "Base path for evidence storage"
    }
  },
  "required": ["auditType", "trustCategories"]
}

Output Schema

json
{
  "type": "object",
  "properties": {
    "assessmentId": {
      "type": "string"
    },
    "auditType": {
      "type": "string"
    },
    "assessmentDate": {
      "type": "string",
      "format": "date-time"
    },
    "trustCategories": {
      "type": "array"
    },
    "controlSummary": {
      "type": "object",
      "properties": {
        "totalControls": { "type": "integer" },
        "implemented": { "type": "integer" },
        "partiallyImplemented": { "type": "integer" },
        "notImplemented": { "type": "integer" },
        "notApplicable": { "type": "integer" }
      }
    },
    "evidenceStatus": {
      "type": "object",
      "properties": {
        "collected": { "type": "integer" },
        "pending": { "type": "integer" },
        "missing": { "type": "integer" }
      }
    },
    "gapAnalysis": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "controlId": { "type": "string" },
          "gap": { "type": "string" },
          "remediation": { "type": "string" },
          "priority": { "type": "string" }
        }
      }
    },
    "auditPackage": {
      "type": "object",
      "properties": {
        "controlMatrix": { "type": "string" },
        "evidenceFolder": { "type": "string" },
        "systemDescription": { "type": "string" },
        "managementAssertion": { "type": "string" }
      }
    },
    "complianceScore": {
      "type": "number"
    }
  }
}

Usage Example

javascript
skill: {
  name: 'soc2-compliance-automator',
  context: {
    auditType: 'Type2',
    trustCategories: ['Security', 'Availability', 'Confidentiality'],
    auditPeriod: {
      startDate: '2024-01-01',
      endDate: '2024-12-31'
    },
    cloudProviders: ['AWS', 'Azure']
  }
}

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

a5c-ai/babysitter

gsd-tools

Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).

514 31
Explore
a5c-ai/babysitter

model-profile-resolution

Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.

514 31
Explore
a5c-ai/babysitter

verification-suite

Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.

514 31
Explore
a5c-ai/babysitter

state-management

STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.

514 31
Explore
a5c-ai/babysitter

git-integration

Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.

514 31
Explore
a5c-ai/babysitter

frontmatter-parsing

YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.

514 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results