Stats
Actions
Tags
From soc2-startup
Lean SOC2 Type 1 audit support for SaaS startups. Use when preparing for SOC2 audits, writing policies, collecting evidence, performing gap analysis, or assessing readiness.
How this skill is triggered — by the user, by Claude, or both
Slash command
/soc2-startup:soc2The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Lean SOC2 Type 1 audit guidance for SaaS startups pursuing Common Criteria certification. Focuses on minimum viable compliance — what auditors actually need, nothing more.
Lean SOC2 Type 1 audit guidance for SaaS startups pursuing Common Criteria certification. Focuses on minimum viable compliance — what auditors actually need, nothing more.
| CC | Focus | Scope |
|---|---|---|
| CC1 | Control Environment | ALL staff |
| CC2 | Communication | ALL staff |
| CC3 | Risk Assessment | Organization-wide |
| CC4 | Monitoring | Organization-wide |
| CC5 | Control Activities | Organization + production |
| CC6 | Access Controls | Production systems only |
| CC7 | System Operations | Production systems only |
| CC8 | Change Management | Production systems only |
| CC9 | Risk Mitigation | Production systems only |
CC1-CC5 apply to all employees. CC6-CC9 can be scoped to production team only.
For full criteria details including required policies, evidence, controls, and common gaps, see cc-reference.md.
| Role | When to use | Reference |
|---|---|---|
| Lean Guardian | Challenge over-engineering, validate scope | roles/lean-guardian.md |
| Policy Writer | Create lean, auditor-ready policies | roles/policy-writer.md |
| Gap Analyzer | Identify missing items vs. nice-to-have | roles/gap-analyzer.md |
| Evidence Collector | Gather minimum viable evidence | roles/evidence-collector.md |
| Control Mapper | Map controls to CC criteria | roles/control-mapper.md |
| Risk Assessor | Pragmatic 5x5 risk assessment | roles/risk-assessor.md |
| Readiness Reviewer | Pre-audit validation | roles/readiness-reviewer.md |
For structured multi-step processes, see workflows.md:
In scope: Production infrastructure, customer data handling, source code and CI/CD, IAM, critical vendors (~10-15), production team access controls.
Out of scope: Employee endpoints, office physical security, dev/staging environments, corporate IT tools, non-critical vendors.
/soc2 readiness-check — assess current readiness/soc2 gap-analysis — identify what's missing/soc2 write-policy [type] — create missing policies/soc2 collect-evidence [cc] — gather required evidence/soc2 lean-check — validate nothing is over-engineeredArguments after /soc2 are interpreted as the requested action. Use natural language if these shorthands don't match your need.
This skill complements the Probo plugin. If you have the Probo plugin installed:
These paths are where your compliance documents should live in your project:
00-OVERVIEW/SOC2-SCOPE-DEFINITION.md00-OVERVIEW/00-SOC2-COMPLIANCE-TRACKER.md02-RISK-MANAGEMENT/SOC2-RISK-ASSESSMENT-FRAMEWORK.md01-POLICIES/06-EVIDENCE/EVIDENCE-COLLECTION-CHECKLIST.mdnpx claudepluginhub fsch/compliance-tools --plugin soc2-startupAutomates SOC 2 audit prep: assesses Trust Service Criteria controls (CC1-CC9), gathers evidence from docs/logs/IaC, identifies gaps, generates readiness reports.
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->