PlaygroundCatalog › SOC 2 Readiness
S2

SOC 2 Readiness

🔵 Stable🕐 updated 2026-06-24 🔷 SkillSpec L3 ⚙ ships an executable helper pm-compliance

Assess SOC 2 readiness across the Trust Services Criteria and produce a gap remediation plan. Use when asked to prepare for a SOC 2 audit, run a SOC 2 readiness/gap assessment, scope controls, or get audit-ready. Produces a readiness report — scope & criteria, a control-by-control status, a weighted readiness score, prioritised gaps with owners, and the evidence each control needs.

📚 Based on AICPA SOC 2 Trust Services Criteria

▶ Run it free — no key needed 📝 Grade your existing draft View SKILL.md ↗

What to give it

Report type & period — SOC 2 Type I (point in time) or Type II (a window, usually 3–12 months).
In-scope criteria — Security (always), plus any of Availability, Confidentiality, Processing Integrity, Privacy. Don't include criteria you can't evidence.
Systems in scope — the product/infra boundary the report covers.
Current control state — what's implemented, partially implemented, or missing (be honest; auditors test, they don't take your word).

✅ The bar it holds itself to

Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.

Only criteria the org can actually evidence are in scope (don't add Privacy to look thorough)
Every control names the specific evidence an auditor would request
The readiness score is computed from the control list, not asserted
For Type II, the plan distinguishes "implement the control" from "accumulate evidence over the period"
Gaps are prioritised by risk and have an owner and date — not a flat list

⚠️ What it refuses to do

Do not confuse a readiness assessment with a passed audit — readiness is self-assessed; the report comes from a licensed CPA firm
Do not claim a control is "met" without the evidence to prove it — auditors test operating effectiveness, not intentions
Do not over-scope criteria — every criterion you add is more controls to evidence; include only what's true and needed
Do not leave gaps unowned or undated — an unowned gap is a gap that's still open at audit time
Do not try to backfill Type II evidence — controls must demonstrably operate across the whole period

Install

npx pm-claude-skills add --agent claude   # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp

Related skills

🔌 Embed this skill

Drop this on your blog, docs, or site — it renders a "Run this skill" card:

<div data-pm-skill="soc2-readiness"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>

💬 Discussion

SOC 2 Readiness is one of 630 open-source professional AI agent skills — all SkillSpec L3. Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog