SOC 2 Control Narrative Author

Overview

Guided elaboration of SOC 2 readiness documentation: control narratives aligned to AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), control-objective mapping, and evidence placeholders for Type I/II audit.

Getting Started

Add your source materials to the project workspace, then activate the SOC 2 Control Narrative Author skill. The agent will guide you through the process step by step.

Example Conversation

Below is an example of how a typical SOC 2 control narrative session unfolds. The agent scopes TSC categories, drafts narratives per criterion, and adds evidence placeholders.

You: We need SOC 2 Type II readiness. We’re in scope for Security (all common criteria) and Availability. Can you draft control narratives and evidence placeholders for CC1 through CC9 and A1?

Agent: I’ll draft control narratives for Security (CC1–CC9) and Availability (A1). Do you already have a control narrative document I should extend, or should I create a new one?

You: Create a new document. We have an access control policy, change management procedure, and monitoring runbooks.

Agent: I’ve created soc2-control-narratives.md with sections for each criterion. For CC1 (Control environment) I’ve described your board oversight and management structure and added an evidence placeholder: “Board charter, org chart, management meeting minutes.” For CC6 (Logical and physical access) I’ve referenced your access control policy and added placeholders for access reviews and termination checklist. I’ll continue with CC2–CC5, CC7–CC9, and A1.

You: Run the validation tool to see if we’re missing anything.

Agent: I ran check_trust_services_criteria_coverage on the document. Result: 10 criteria referenced (CC1–CC9, A1). Two warnings: CC4 and CC7 need a clearer evidence reference (e.g. name the specific runbook or monitoring report). I’ll add those now.

Sample Output Excerpt

Below is a representative excerpt from a SOC 2 control narrative document showing criterion-level narratives and evidence placeholders.

CC6 — Logical and physical access controls

Control objective: The entity implements logical and physical access controls to protect against unauthorized access to systems, data, and facilities.

Control narrative: Access to production systems and customer data is governed by an Access Control Policy. New hires receive access only after HR onboarding and manager approval; access is provisioned via our identity provider (Okta). Access reviews are conducted quarterly by managers; access is revoked within 24 hours of termination. Physical access to data centers is controlled by badge and MFA; visitors are escorted.

Evidence: Access Control Policy v2.1; Okta provisioning workflow; quarterly access review report (Q3 2025); termination checklist; data center access log sample.

A1 — Availability

Control objective: The entity maintains system availability consistent with commitments to users.

Control narrative: We target 99.9% uptime for our core platform. Monitoring is 24/7; incidents are triaged via PagerDuty. RTO/RPO are documented in our BCP; we run annual DR tests and document results.

Evidence: SLA document; PagerDuty runbook; BCP section 4.2; DR test report 2025.

Built-in Validation Tools

The skill includes an extension tool that checks SOC 2 control narrative documents for TSC coverage and evidence references.

What the tool checks

Run check_trust_services_criteria_coverage on the control narrative or readiness document after drafting or updating to ensure each in-scope criterion has a narrative and evidence reference.