SOC 2 Readiness Gap Analysis
Get Started with This SkillOverview
Map internal controls against AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Identifies unmapped criteria, validates evidence artifacts and tests of effectiveness, and produces a prioritized remediation roadmap for SOC 2 Type I or Type II audit readiness.
Getting Started
Add your source materials to the project workspace, then activate the SOC 2 Readiness Gap Analysis skill. The agent will guide you through the process step by step.
Example Conversation
You: We’re preparing for a SOC 2 Type II and need a gap analysis. Our platform is in scope — Security, Availability, and Confidentiality. I’ve added our policies and a first cut of controls to the workspace.
Agent: I’ve loaded your controls-inventory.json. Scope is CC, A, and C. I’ll run the TSC mapping engine to see coverage and gaps.
Agent: [Runs tsc_mapping_engine] Coverage: CC 78%, A 67%, C 50%. There are 7 unmapped criteria — including CC4.2 (evaluating and communicating deficiencies), A1.2 (capacity), and C1.1, C1.2 (confidentiality). Three controls have no TSC mappings, and two are marked “planned”. I’ll list the full gaps in the report. Should I run the evidence validator next?
You: Yes. We’ve done internal testing on most controls but I’m not sure we documented it everywhere.
Agent: [Runs evidence_artifact_validator] Four implemented controls are missing a Test of Effectiveness; two have “not_tested” and one has no evidence artifacts. I’ve added a “Evidence and Testing Gaps” section to the draft report with remediation actions. I’ve also updated the remediation roadmap: Phase 1 is mapping the missing criteria and adding ToE for the four controls; Phase 2 is the two Confidentiality criteria. Want me to fill in the Executive Summary and risk table next?
You: Yes. Then we’ll review and add the missing ToE details to the inventory.
Agent: Done. The report now has the executive summary, TSC coverage table, gap analysis, and a phased remediation roadmap. Re-run the mapping and evidence tools after you update the inventory and I’ll refresh the numbers.
Sample Output Excerpt
Below is a representative excerpt from a SOC 2 Readiness Gap Analysis report.
1. Executive Summary
Acme Platform Services completed a SOC 2 readiness gap analysis for the period ending 28 February 2025. The assessment covered the AICPA Trust Services Criteria for Security (Common Criteria), Availability, and Confidentiality. Overall TSC coverage is 72% (54 of 75 in-scope criteria mapped to implemented controls). Twenty-one criteria remain unmapped or are covered only by planned controls. Four implemented controls lack a documented Test of Effectiveness (ToE); these must be addressed before the Type II observation period. Top priorities: (1) map and implement controls for CC4.2 (deficiency evaluation and communication) and A1.2 (capacity); (2) complete ToE and evidence for access review and backup testing controls; (3) add Confidentiality criteria C1.1 and C1.2 with data classification and handling evidence.
3. TSC Coverage Summary
3.1 Coverage by Category
| Category | Criteria | Mapped | Gaps | Coverage |
|---|---|---|---|---|
| CC — Security | 33 | 26 | 7 | 79% |
| A — Availability | 3 | 2 | 1 | 67% |
| C — Confidentiality | 2 | 0 | 2 | 0% |
| Total | 38 | 28 | 10 | 74% |
7. Remediation Roadmap (excerpt)
| # | Action | Owner | Target Date | TSC Impact | Effort |
|---|---|---|---|---|---|
| 1 | Document and communicate control deficiency process; add evidence | Compliance | 15 Mar 2025 | CC4.2 | S |
| 2 | Add capacity planning procedure and evidence (A1.2) | Infrastructure | 31 Mar 2025 | A1.2 | M |
| 3 | Complete ToE for quarterly access reviews (AC-02) | IAM | 10 Mar 2025 | CC6.3 | S |
| 4 | Define confidentiality commitments; map data flows and controls to C1.1, C1.2 | Security | 30 Apr 2025 | C1.1, C1.2 | L |
Built-in Scripts and Validation
The skill provides two validation tools the agent runs against the controls inventory (controls-inventory.json) to ensure TSC coverage and evidence readiness before drafting the report.
Validation tools
| Tool | Purpose |
|---|---|
| tsc_mapping_engine | Analyzes the controls inventory against in-scope Trust Services Categories (CC, A, PI, C, P). Validates: (1) every in-scope TSC criterion is mapped to at least one control; (2) controls map only to valid criterion IDs; (3) controls have at least one TSC mapping; (4) controls marked not_implemented or planned are flagged as not providing effective coverage. Reports per-category coverage percentages, a list of unmapped criteria (gaps), and control-level findings (errors and warnings). Run after each round of inventory updates. |
| evidence_artifact_validator | Checks that every implemented or partially_implemented control has: (1) a Test of Effectiveness (ToE) with method, frequency, and result; (2) a ToE result of effective or partially_effective (flags not_tested, missing result, or ineffective); (3) a last_performed date when the test was executed; (4) at least one evidence artifact. Flags controls missing ToE, untested or ineffective ToE, missing evidence, and partial effectiveness without remediation notes. Run after mapping is complete and before drafting the final report. |