# SOC 2 Control Narrative Author > Guided elaboration of SOC 2 readiness documentation: control narratives aligned to AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), control-objective mapping, and evidence placeholders for Type I/II audit. Tags: SOC 2, AICPA, Trust Services Criteria, Compliance, Audit, Cybersecurity ## Example Prompts - Draft SOC 2 control narratives for our Security and Availability criteria - Map our controls to CC1–CC9 and add evidence placeholders - Check that every in-scope TSC criterion has a narrative and evidence reference - Prepare a readiness checklist for our Type II audit URL: https://rakenne.app/skills/soc2-control-narrative-author/index.md Try this skill: https://rakenne.app/a/?skill=soc2-control-narrative-author ## Overview Guided elaboration of SOC 2 readiness documentation: control narratives aligned to AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), control-objective mapping, and evidence placeholders for Type I/II audit. ## Getting Started Add your source materials to the project workspace, then activate the *SOC 2 Control Narrative Author* skill. The agent will guide you through the process step by step. ## Example Conversation Below is an example of how a typical SOC 2 control narrative session unfolds. The agent scopes TSC categories, drafts narratives per criterion, and adds evidence placeholders. > **You:** We need SOC 2 Type II readiness. We're in scope for Security (all common criteria) and Availability. Can you draft control narratives and evidence placeholders for CC1 through CC9 and A1? > > **Agent:** I'll draft control narratives for Security (CC1–CC9) and Availability (A1). Do you already have a control narrative document I should extend, or should I create a new one? > > **You:** Create a new document. We have an access control policy, change management procedure, and monitoring runbooks. > > **Agent:** I've created `soc2-control-narratives.md` with sections for each criterion. For **CC1 (Control environment)** I've described your board oversight and management structure and added an evidence placeholder: "Board charter, org chart, management meeting minutes." For **CC6 (Logical and physical access)** I've referenced your access control policy and added placeholders for access reviews and termination checklist. I'll continue with CC2–CC5, CC7–CC9, and A1. > > **You:** Run the validation tool to see if we're missing anything. > > **Agent:** I ran `check_trust_services_criteria_coverage` on the document. Result: 10 criteria referenced (CC1–CC9, A1). Two warnings: CC4 and CC7 need a clearer evidence reference (e.g. name the specific runbook or monitoring report). I'll add those now. ## Sample Output Excerpt Below is a representative excerpt from a SOC 2 control narrative document showing criterion-level narratives and evidence placeholders. --- ### CC6 — Logical and physical access controls **Control objective:** The entity implements logical and physical access controls to protect against unauthorized access to systems, data, and facilities. **Control narrative:** Access to production systems and customer data is governed by an Access Control Policy. New hires receive access only after HR onboarding and manager approval; access is provisioned via our identity provider (Okta). Access reviews are conducted quarterly by managers; access is revoked within 24 hours of termination. Physical access to data centers is controlled by badge and MFA; visitors are escorted. **Evidence:** Access Control Policy v2.1; Okta provisioning workflow; quarterly access review report (Q3 2025); termination checklist; data center access log sample. --- ### A1 — Availability **Control objective:** The entity maintains system availability consistent with commitments to users. **Control narrative:** We target 99.9% uptime for our core platform. Monitoring is 24/7; incidents are triaged via PagerDuty. RTO/RPO are documented in our BCP; we run annual DR tests and document results. **Evidence:** SLA document; PagerDuty runbook; BCP section 4.2; DR test report 2025. --- ## Built-in Validation Tools The skill includes an extension tool that checks SOC 2 control narrative documents for TSC coverage and evidence references. ### What the tool checks | Check | Description | |-------|-------------| | **TSC criteria referenced** | Detects which criteria (CC1–CC9, A1, PI1, C1, P1–P8) appear in the document | | **Control narrative** | For each referenced criterion, checks that a control narrative (description of how the control operates) is present | | **Evidence reference** | For each criterion, checks that evidence or placeholders (policy, procedure, sample, audit reference) are mentioned | | **Unmapped criteria** | Informs when criteria are not referenced (e.g. Security-only scope should have CC1–CC9) | Run **check_trust_services_criteria_coverage** on the control narrative or readiness document after drafting or updating to ensure each in-scope criterion has a narrative and evidence reference. --- Back to [Skill Library](https://rakenne.app/skills/index.md)