soc2-evidence-collector
Generate SOC2 evidence collection checklists, automate evidence gathering scripts, and produce audit-ready evidence packages. Covers all 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Use when preparing for SOC2 Type I/II audits, maintaining continuous compliance, or building evidence collection automation. Built by AfrexAI.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/afrexai-cto/afrexai-soc2-evidence-collectorSOC2 Evidence Collector
Automate evidence gathering for SOC2 Type I and Type II audits across all 5 Trust Service Criteria.
When to Use
- Preparing for an upcoming SOC2 audit (Type I or Type II)
- Building continuous compliance evidence pipelines
- Auditor requests evidence and you need to gather it fast
- Onboarding a new client who requires SOC2 compliance proof
- Annual evidence refresh cycle
- Gap analysis before engaging an audit firm
Input
Gather these from the user before generating:
Required
- Audit type: Type I (point-in-time) or Type II (over a period, typically 3-12 months)
- Trust Service Criteria in scope: Security (CC — always required), plus any of: Availability, Processing Integrity, Confidentiality, Privacy
- Cloud provider(s): AWS, GCP, Azure, multi-cloud, on-prem, hybrid
- Primary tech stack: languages, frameworks, CI/CD, IaC tools
- Team size: engineering + ops headcount
Optional
- Current compliance certifications (ISO 27001, HIPAA, PCI-DSS, etc.)
- Audit firm name and timeline
- Previous audit findings or gaps
- Specific control frameworks already mapped (NIST 800-53, CIS, etc.)
- SSO/IdP provider (Okta, Azure AD, Google Workspace, etc.)
Evidence Categories
CC — Common Criteria (Security) — Always In Scope
CC1: Control Environment
| Evidence | Source | Collection Method |
|---|---|---|
| Org chart with security roles | HR system / Confluence | Manual export quarterly |
| Security policy documents | Policy repo / wiki | Git log showing annual review |
| Code of conduct acknowledgments | HR system | Export signed acknowledgments |
| Board/management meeting minutes on security | Calendar + notes | Screenshot + agenda export |
| Risk assessment documentation | GRC tool / spreadsheet | Export current risk register |
CC2: Communication and Information
| Evidence | Source | Collection Method |
|---|---|---|
| Security awareness training records | LMS / training platform | Completion report export |
| Onboarding security checklist | HR system | Template + completion logs |
| Incident communication procedures | Runbook / wiki | Version-controlled doc with review history |
| External communication policies | Policy repo | Git log + approval records |
CC3: Risk Assessment
| Evidence | Source | Collection Method |
|---|---|---|
| Annual risk assessment report | GRC tool | PDF export with sign-off |
| Vendor risk assessments | Vendor management tool | Export assessment records |
| Penetration test reports | Security vendor | PDF reports with remediation tracking |
| Vulnerability scan results | Scanner (Qualys, Nessus, etc.) | Automated export, monthly |
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-afrexai-cto-afrexai-soc2-evidence-collector": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
vendor-risk-assessment
Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilience. Use when onboarding new vendors, conducting annual reviews, or building a vendor management program. Generates a scored risk report with mitigation recommendations. Built by AfrexAI.
Afrexai Plumbing Operations
Skill by afrexai-cto
Afrexai Hvac Operations
Skill by afrexai-cto
Afrexai Learning Engine
Skill by afrexai-cto
Afrexai Business Process Audit
Skill by afrexai-cto