S2
SOC 2 Readiness
🔵 Stable🕐 updated 2026-06-24
🔷 SkillSpec L3
⚙ ships an executable helper
pm-compliance
Assess SOC 2 readiness across the Trust Services Criteria and produce a gap remediation plan. Use when asked to prepare for a SOC 2 audit, run a SOC 2 readiness/gap assessment, scope controls, or get audit-ready. Produces a readiness report — scope & criteria, a control-by-control status, a weighted readiness score, prioritised gaps with owners, and the evidence each control needs.
📚 Based on AICPA SOC 2 Trust Services Criteria
What to give it
▸Report type & period — SOC 2 Type I (point in time) or Type II (a window, usually 3–12 months).
▸In-scope criteria — Security (always), plus any of Availability, Confidentiality, Processing Integrity, Privacy. Don't include criteria you can't evidence.
▸Systems in scope — the product/infra boundary the report covers.
▸Current control state — what's implemented, partially implemented, or missing (be honest; auditors test, they don't take your word).
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓Only criteria the org can actually evidence are in scope (don't add Privacy to look thorough)
✓Every control names the specific evidence an auditor would request
✓The readiness score is computed from the control list, not asserted
✓For Type II, the plan distinguishes "implement the control" from "accumulate evidence over the period"
✓Gaps are prioritised by risk and have an owner and date — not a flat list
⚠️ What it refuses to do
Do not confuse a readiness assessment with a passed audit — readiness is self-assessed; the report comes from a licensed CPA firm
Do not claim a control is "met" without the evidence to prove it — auditors test operating effectiveness, not intentions
Do not over-scope criteria — every criterion you add is more controls to evidence; include only what's true and needed
Do not leave gaps unowned or undated — an unowned gap is a gap that's still open at audit time
Do not try to backfill Type II evidence — controls must demonstrably operate across the whole period
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="soc2-readiness"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
SOC 2 Readiness is one of 630 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog