Overview
Build and validate the organizational context profile for SOC 2 audit readiness. Captures principal service commitments, system requirements (SCSR), trust services categories, system boundaries, subservice organizations (carved-out/inclusive), and complementary user entity controls (CUECs). Boundary validator checks scope completeness; CUEC mapper validates controls are specific, actionable, and TSC-aligned.
The organization profile is the foundation that every other SOC 2 skill reads from. Without it, each skill must re-collect the same organizational facts, leading to inconsistency across the system description, risk register, policies, and audit report. This skill produces a structured organization-profile.json that serves as the single source of truth for the entire engagement.
Getting Started
Create a new project using the SOC 2 Audit Readiness workspace template, or install this skill individually. The agent will interview you to capture organizational facts — services, infrastructure, TSC scope, system boundaries, subservice organizations, and CUECs — then validate the profile using two built-in tools before saving it to the workspace.
Example Conversation
Below is an example of how a typical organization profile session unfolds. The agent gathers context through targeted questions, builds the profile iteratively, and validates using the boundary validator and CUEC mapper.
You: We’re starting a SOC 2 Type II engagement for DataVault Technologies, a B2B SaaS document management platform. 120 employees, based in Austin, TX. AWS infrastructure in us-east-1 and eu-west-1, Okta for IAM, GitHub for source control, Datadog for monitoring, Stripe for billing. We have 99.9% uptime SLAs with enterprise customers.
Agent: I’ve captured the core organizational facts. Let me gather the remaining details to complete the profile.
- Trust services categories — Security (CC) is always required. Given your 99.9% uptime SLA, Availability (A) should be in scope. Do you also need Processing Integrity, Confidentiality, or Privacy?
- Key personnel — Who is your CISO, CTO, and compliance lead?
- Audit period — What dates for the Type II observation period? (Minimum 6 months for initial engagement.)
You: Security and Availability in scope. Sarah Chen is CISO, Michael Torres is CTO, Lisa Park leads compliance. Audit period is July 1, 2025 through June 30, 2026. All three cloud vendors (AWS, Datadog, Stripe) should be carved-out — we’ll reference their SOC 2 reports.
Agent: Profile is taking shape. Now I need to define CUECs — what responsibilities do your customers have for securing their use of DataVault?
You: Customers must enforce MFA for admin accounts, decommission users when employees leave, configure IP allowlisting if they want restricted access, report suspected security incidents within 24 hours, and maintain the security of documents before upload.
Agent: I’ve added 5 CUECs and drafted CSOCs for all three carved-out vendors. Let me run both validators.
[Runs boundary_validator] Results:
- In-scope items: PASS (DataVault platform, AWS infrastructure, Okta IAM, all supporting services)
- Out-of-scope items: PASS (corporate email, HR systems — justified as separate compliance programs)
- Subservice organizations: PASS (3 carved-out with valid methods)
- CSOCs: PASS (defined for AWS, Datadog, Stripe — physical security, encryption, availability)
- Trust services categories: PASS (Security + Availability)
[Runs cuec_mapper] Results:
- CUECs present: PASS (5 CUECs defined)
- Specificity: PASS (all exceed 50-character minimum)
- TSC mapping: PASS (all mapped to Security or Availability categories)
- Common CUECs check: INFO — consider adding a CUEC for customer API key management
I’ve saved
organization-profile.jsonand updated the dashboard.
Sample Output Excerpt
Below is a representative excerpt from the organization profile JSON, showing the SCSR section and subservice organizations — two areas that feed directly into the system description.
Principal Service Commitments and System Requirements (SCSR)
{
"scsr": {
"commitments": [
{
"id": "SC-001",
"commitment": "Platform Availability",
"description": "DataVault production environment shall be available for customer access",
"sla_target": "99.9% monthly uptime excluding scheduled maintenance"
},
{
"id": "SC-002",
"commitment": "Data Security",
"description": "Customer documents encrypted at rest and in transit",
"sla_target": "AES-256 at rest, TLS 1.2+ in transit"
},
{
"id": "SC-003",
"commitment": "Incident Notification",
"description": "Affected customers notified of confirmed security incidents",
"sla_target": "Within 72 hours of confirmation"
}
],
"requirements": [
"All data in transit must use TLS 1.2 or higher",
"All data at rest encrypted using AES-256 via AWS KMS with annual key rotation",
"Production deployments require two peer-reviewed approvals and pass automated security scans",
"System availability monitored 24/7 via Datadog with 15-minute SRE response SLA",
"Customer admin accounts must have MFA enabled (enforced at first login)"
]
}
}
Subservice Organizations
{
"subservice_organizations": [
{
"name": "Amazon Web Services (AWS)",
"services": "Cloud infrastructure — compute, storage, database, networking, CDN",
"method": "carved-out",
"soc_report": "AWS SOC 2 Type II, most recent period",
"csocs": [
"Physical security of data centers",
"Network isolation of customer environments",
"Encryption key management (KMS)",
"Infrastructure availability and redundancy"
]
},
{
"name": "Datadog, Inc.",
"services": "Infrastructure and application monitoring, log management, alerting",
"method": "carved-out",
"soc_report": "Datadog SOC 2 Type II, most recent period",
"csocs": [
"Secure transmission and storage of log data",
"Access controls over monitoring dashboards",
"Platform availability per published SLA"
]
}
]
}
Built-in Validation
The skill includes two validation tools that automatically check the organization profile for SOC 2 structural completeness. The agent runs both validators after each editing pass and iterates until all checks pass.
What the validators check
Boundary Validator:
| Check Category | What It Validates | Severity |
|---|---|---|
| In-scope items | At least one in-scope system, process, or service defined | ERROR if empty |
| Out-of-scope items | Exclusions have justification text | WARNING if missing |
| Subservice organizations | Each has a valid method (carved-out or inclusive) | ERROR if invalid |
| CSOCs | Defined when carved-out subservice organizations exist | ERROR if missing |
| Infrastructure | Components referenced in system boundaries | WARNING if missing |
| Locations | At least one location specified | WARNING if missing |
| Trust services categories | Security (CC) included at minimum | ERROR if missing |
CUEC Mapper:
| Check Category | What It Validates | Severity |
|---|---|---|
| CUECs present | At least one CUEC defined | ERROR if missing |
| Specificity | Each CUEC is at least 50 characters (shorter entries flagged as too vague) | WARNING per entry |
| TSC mapping | Each CUEC maps to at least one trust services category | WARNING if unmapped |
| Common CUECs | Flags commonly missing CUECs: MFA enforcement, access review, credential management, data backup, incident reporting | INFO |
Example validation output
========================================================================
SOC 2 Organization Profile — Boundary Validation
========================================================================
--- Checks (9 total) ---
[PASS] in_scope_items: 6 systems and services defined
[PASS] out_of_scope_items: 2 exclusions with justification
[PASS] subservice_organizations: 3 vendors, all with valid method
[PASS] csocs: CSOCs defined for all 3 carved-out organizations
[PASS] infrastructure: 8 infrastructure components referenced
[PASS] locations: 1 office + 2 AWS regions
[PASS] trust_services_categories: Security (CC) + Availability (A)
[PASS] audit_type: Type II with valid period
[PASS] key_personnel: CISO, CTO, compliance lead defined
Result: PASS (9/9 checks satisfied)
========================================================================
========================================================================
SOC 2 Organization Profile — CUEC Validation
========================================================================
[PASS] 5 CUECs defined
[PASS] All CUECs exceed 50-character minimum specificity
[PASS] All CUECs mapped to TSC categories
[INFO] Consider adding CUEC for customer API key rotation/management
Result: PASS
========================================================================
The agent runs both validators automatically after drafting and surfaces findings inline, so you always know exactly what remains before the profile is structurally complete.