← Back to Skills Marketplace
621
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install afrexai-soc2-compliance
Description
Guides organizations through SOC 2 compliance lifecycle with gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring.
README (SKILL.md)
SOC 2 Compliance Accelerator
Your agent for achieving and maintaining SOC 2 Type I and Type II compliance — from readiness assessment through audit completion.
What This Does
Guides organizations through the full SOC 2 lifecycle: gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. Covers all 5 Trust Service Criteria with practical implementation steps.
How to Use
Tell your agent what stage you're at:
- "Run SOC 2 readiness assessment" — 64-point gap analysis across all Trust Service Criteria
- "Build SOC 2 control matrix" — Maps controls to criteria with ownership and evidence requirements
- "Create SOC 2 evidence collection plan" — Automated and manual evidence gathering schedule
- "Prepare for SOC 2 audit" — Auditor-ready documentation package checklist
- "SOC 2 continuous monitoring dashboard" — Ongoing compliance tracking after certification
Trust Service Criteria Coverage
CC — Common Criteria (Security) — Required
- CC1: Control Environment (tone at top, org structure, accountability)
- CC2: Communication & Information (internal/external, system boundaries)
- CC3: Risk Assessment (risk identification, fraud risk, change impact)
- CC4: Monitoring Activities (ongoing evaluations, deficiency reporting)
- CC5: Control Activities (policies, technology controls, deployment)
- CC6: Logical & Physical Access (access management, authentication, physical security)
- CC7: System Operations (vulnerability management, incident response, recovery)
- CC8: Change Management (change authorization, testing, approval)
- CC9: Risk Mitigation (vendor management, business continuity)
Optional Criteria
- Availability (A1): Uptime SLAs, DR/BCP, capacity planning
- Processing Integrity (PI1): Data accuracy, completeness, timeliness
- Confidentiality (C1): Classification, encryption, retention, disposal
- Privacy (P1): Notice, consent, collection, use, disclosure, access
Readiness Assessment Framework
Phase 1: Scoping (Week 1)
System Description Checklist:
□ Infrastructure components (cloud, on-prem, hybrid)
□ Software stack (applications, databases, middleware)
□ People (roles, responsibilities, third parties)
□ Procedures (operational, security, change management)
□ Data flows (ingress, processing, storage, egress)
□ Trust Service Criteria selection (Security + which optional?)
□ Subservice organizations (cloud providers, SaaS tools)
□ Carve-out vs inclusive method for subservice orgs
Phase 2: Gap Analysis (Weeks 2-3)
Score each control area 1-5:
- 1 — Not Started: No policy, no process, no evidence
- 2 — Ad Hoc: Informal processes exist but undocumented
- 3 — Defined: Documented but inconsistent execution
- 4 — Managed: Documented, executed, some evidence
- 5 — Optimized: Automated, monitored, auditable evidence
Priority Matrix:
| Gap Score | Action | Timeline |
|---|---|---|
| 1-2 | Critical — implement immediately | 2-4 weeks |
| 3 | Important — formalize and document | 1-2 weeks |
| 4 | Minor — fill evidence gaps | 3-5 days |
| 5 | Maintain — continue monitoring | Ongoing |
Phase 3: Remediation (Weeks 3-10)
For each gap:
1. Assign control owner (by name, not role)
2. Define implementation steps
3. Set evidence collection method (automated preferred)
4. Establish testing cadence
5. Document exception handling process
Control Implementation Priorities
Must-Have Controls (Week 1-4)
- Access Management: SSO, MFA on all systems, quarterly access reviews
- Encryption: TLS 1.2+ in transit, AES-256 at rest, key management
- Logging: Centralized logging, 90-day retention minimum, tamper-evident
- Incident Response: Documented plan, defined roles, tested annually
- Change Management: Approval workflows, code review, deployment gates
- Vendor Management: Vendor inventory, risk assessments, SOC 2 reports from critical vendors
- Employee Security: Background checks, security awareness training, acceptable use policy
- Vulnerability Management: Regular scanning, patch cadence (critical \x3C72hrs), penetration testing
Should-Have Controls (Week 4-8)
- Business Continuity: DR plan, RTO/RPO defined, tested semi-annually
- Data Classification: 4-tier model (Public, Internal, Confidential, Restricted)
- Network Security: Segmentation, IDS/IPS, WAF for web applications
- Endpoint Protection: EDR, device encryption, MDM for mobile
Nice-to-Have Controls (Week 8+)
- Security Metrics Dashboard: Real-time compliance posture
- Automated Compliance Monitoring: Continuous control testing
- Zero Trust Architecture: Beyond perimeter security
Evidence Collection Guide
Automated Evidence (Set Once, Collect Forever)
| Control | Evidence Source | Tool Examples |
|---|---|---|
| Access Reviews | IAM exports | Okta, Azure AD, AWS IAM |
| Encryption | Config snapshots | AWS Config, CloudTrail |
| Logging | Log aggregation | Datadog, Splunk, ELK |
| Vulnerability Scans | Scan reports | Qualys, Nessus, Snyk |
| Change Management | PR/deploy history | GitHub, GitLab, Jira |
| Uptime | Monitoring dashboards | Datadog, PagerDuty |
Manual Evidence (Scheduled Collection)
| Control | Evidence Type | Frequency |
|---|---|---|
| Background Checks | HR records | Per hire |
| Security Training | Completion certificates | Annual |
| Risk Assessment | Assessment document | Annual |
| Pen Testing | Report | Annual |
| DR Testing | Test results | Semi-annual |
| Board/Mgmt Review | Meeting minutes | Quarterly |
| Vendor Reviews | Assessment records | Annual |
| Policy Reviews | Version history | Annual |
Audit Timeline
Type I (Point-in-Time) — 8-12 weeks total
Week 1-2: Auditor selection + engagement letter
Week 2-4: System description draft
Week 4-6: Control documentation + evidence prep
Week 6-8: Fieldwork (auditor testing)
Week 8-10: Draft report review
Week 10-12: Final report issued
Type II (Period of Time) — 3-12 month observation + 4-6 weeks fieldwork
Month 1: Observation period begins (minimum 3 months, recommend 6-12)
Ongoing: Evidence collection, control operation
Month 3-12: Observation period ends
+Week 1-2: Fieldwork scheduling
+Week 2-4: Fieldwork (testing over observation period)
+Week 4-6: Draft report + final report
Cost Framework
| Company Size | Type I | Type II | Annual Maintenance |
|---|---|---|---|
| Startup (\x3C50) | $20K-$50K | $30K-$80K | $15K-$40K |
| Mid-Market (50-500) | $40K-$100K | $60K-$150K | $30K-$80K |
| Enterprise (500+) | $80K-$200K | $120K-$300K | $60K-$150K |
Includes: auditor fees, tooling, personnel time, remediation costs.
Hidden costs to budget:
- Compliance automation platform: $10K-$50K/year
- Additional security tooling: $5K-$30K/year
- Personnel time (internal): 200-800 hours
- Policy/procedure writing (if outsourced): $5K-$20K
Common Audit Findings (Avoid These)
- Access not revoked within 24 hours of termination — #1 finding
- Missing or incomplete risk assessment — annual requirement
- No evidence of management review — need meeting minutes
- Incomplete vendor management — missing SOC reports from critical vendors
- Inconsistent change management — emergency changes without retroactive approval
- Security training gaps — new hires not trained within 30 days
- Logging gaps — not all in-scope systems sending to central logging
AI Agent SOC 2 Considerations (2026)
When deploying AI agents in SOC 2 environments:
- Data boundaries: Agents must not access data outside their defined scope
- Audit trail: All agent actions must be logged and attributable
- Access controls: Agent service accounts need same rigor as human accounts
- Model governance: Document which models process customer data
- Prompt injection defense: Part of CC7 (system operations) controls
- Output validation: Processing integrity controls for agent outputs
Industry-Specific Requirements
| Industry | Extra Criteria | Key Controls |
|---|---|---|
| Fintech | All 5 TSC typical | SOX mapping, encryption everywhere, PCI if payments |
| Healthcare | Privacy, Confidentiality | HIPAA crosswalk, BAAs, PHI handling |
| SaaS | Availability, Confidentiality | Multi-tenant isolation, SLA compliance |
| Legal | Confidentiality, Privacy | Privilege protection, matter isolation |
| Construction | Security, Availability | Field data protection, offline capability |
| E-commerce | All 5 TSC typical | PCI DSS alignment, transaction integrity |
7 SOC 2 Mistakes That Cost Companies 6+ Months
- Starting with Type II — Get Type I first, prove controls work, then observe
- Scoping too broadly — Only include systems that touch customer data
- Choosing the wrong auditor — Pick one who knows your industry
- Manual evidence collection — Automate from day 1 or drown in spreadsheets
- Treating it as a project, not a program — SOC 2 is continuous
- Ignoring subservice organizations — Your cloud provider's SOC 2 matters
- No executive sponsor — Compliance without budget authority = failure
Get the Full Implementation Package
This skill gives you the framework. For industry-specific compliance playbooks with regulatory crosswalks, cost models, and vendor selection guides:
🔗 AfrexAI Context Packs — $47 per industry vertical
Available packs: Fintech, Healthcare, Legal, Construction, E-commerce, SaaS, Real Estate, Recruitment, Manufacturing, Professional Services
🔗 AI Revenue Leak Calculator — Find where compliance gaps cost you money
🔗 Agent Setup Wizard — Deploy compliance monitoring agents in minutes
Bundle pricing:
- Pick 3 packs: $97
- All 10 packs: $197
- Everything bundle: $247
Usage Guidance
This appears to be a straightforward, instruction-only SOC 2 playbook. Before installing or using it, consider: (1) the skill itself does not fetch data or request credentials, but following its recommendations will likely require you to provide access (API keys, monitoring/log exports) to your systems — only grant least-privilege credentials and to trusted agents; (2) verify the publisher/source (the README points to an AfrexAI site) if you plan to share internal evidence or PII; (3) treat any prompts from the agent that ask for credentials, full logs, or secrets as high-risk — validate why those are needed and prefer manual uploads of redacted evidence; (4) if you need stronger assurance, ask the publisher for a provenance/author signature or run the guidance offline and avoid connecting the agent directly to production systems. If the skill later adds install scripts, network calls, or requests environment variables, re-evaluate (that would change this assessment).
Capability Analysis
Type: OpenClaw Skill
Name: afrexai-soc2-compliance
Version: 1.0.0
The skill bundle contains only markdown documentation and metadata, providing comprehensive guidance on SOC 2 compliance. There is no executable code, no evidence of data exfiltration, malicious execution, persistence, or prompt injection against the agent. External links to related commercial products and an 'Agent Setup Wizard' are present in SKILL.md and README.md, but these are presented as informational resources for the user, not as instructions for the AI agent to execute in a harmful or unauthorized manner.
Capability Assessment
Purpose & Capability
The name and description (SOC 2 lifecycle guidance) match the SKILL.md content: readiness assessment, control matrices, evidence plans, and timelines. References to third‑party tools (Okta, AWS Config, Datadog, etc.) are examples of evidence sources and are appropriate for the purpose.
Instruction Scope
SKILL.md is a detailed playbook and stays within advisory scope (templates, checklists, timelines, mapping of controls to evidence). It references automated evidence sources and monitoring tools but does not itself include commands, require reading arbitrary system files, or instruct contacting hidden endpoints. Be aware: real-world use will typically require connecting to monitoring/IAM services, which would require credentials supplied by the user (the skill does not request them).
Install Mechanism
No install spec and no code files — instruction-only content. This is the lowest-risk install posture (nothing is written to disk or downloaded by the skill).
Credentials
The skill declares no required environment variables, credentials, or config paths. While it names external tools as evidence sources, those are illustrative; the skill does not request unrelated secrets or broad environment access.
Persistence & Privilege
Skill defaults (not always:true, agent-invocation allowed) are used. It does not request permanent/system-level presence or modification of other skills' configuration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install afrexai-soc2-compliance - After installation, invoke the skill by name or use
/afrexai-soc2-compliance - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SOC 2 Compliance Accelerator v1.0.0 — Initial Release
- Guides companies through the SOC 2 lifecycle: readiness assessment, control implementation, evidence collection, audit preparation, and continuous monitoring.
- Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) with practical, actionable steps.
- Provides a detailed readiness assessment framework and gap analysis scoring.
- Includes prioritized control implementation lists and evidence collection planning.
- Outlines typical audit timelines for SOC 2 Type I and Type II.
- Offers a cost framework and lists common audit pitfalls to avoid.
- Notes special considerations for AI agents operating in SOC 2 environments.
Metadata
Frequently Asked Questions
What is SOC 2 AI Agent Compliance?
Guides organizations through SOC 2 compliance lifecycle with gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. It is an AI Agent Skill for Claude Code / OpenClaw, with 621 downloads so far.
How do I install SOC 2 AI Agent Compliance?
Run "/install afrexai-soc2-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SOC 2 AI Agent Compliance free?
Yes, SOC 2 AI Agent Compliance is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SOC 2 AI Agent Compliance support?
SOC 2 AI Agent Compliance is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SOC 2 AI Agent Compliance?
It is built and maintained by 1kalin (@1kalin); the current version is v1.0.0.
More Skills