87f3a007c9
secrets-vault-manager (403-line SKILL.md, 3 scripts, 3 references): - HashiCorp Vault, AWS SM, Azure KV, GCP SM integration - Secret rotation, dynamic secrets, audit logging, emergency procedures sql-database-assistant (457-line SKILL.md, 3 scripts, 3 references): - Query optimization, migration generation, schema exploration - Multi-DB support (PostgreSQL, MySQL, SQLite, SQL Server) - ORM patterns (Prisma, Drizzle, TypeORM, SQLAlchemy) gcp-cloud-architect (418-line SKILL.md, 3 scripts, 3 references): - 6-step workflow mirroring aws-solution-architect for GCP - Cloud Run, GKE, BigQuery, Cloud Functions, cost optimization - Completes cloud trifecta (AWS + Azure + GCP) soc2-compliance (417-line SKILL.md, 3 scripts, 3 references): - SOC 2 Type I & II preparation, Trust Service Criteria mapping - Control matrix generation, evidence tracking, gap analysis - First SOC 2 skill in ra-qm-team (joins GDPR, ISO 27001, ISO 13485) All 12 scripts pass --help. Docs generated, mkdocs.yml nav updated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
12 KiB
12 KiB
SOC 2 Evidence Collection Guide
Practical guide for collecting, organizing, and maintaining audit evidence for SOC 2 Type I and Type II engagements. Covers evidence types, automation strategies, and documentation requirements.
Evidence Fundamentals
What Auditors Look For
- Existence — The control is documented and exists
- Design effectiveness — The control is designed to address the TSC criterion (Type I + Type II)
- Operating effectiveness — The control operates consistently over the observation period (Type II only)
Evidence Quality Criteria
| Criterion | Description |
|---|---|
| Relevant | Directly demonstrates the control's operation |
| Reliable | Generated by systems or independent parties (not self-reported) |
| Timely | Falls within the audit/observation period |
| Sufficient | Enough samples to demonstrate consistency |
| Complete | Covers the full population or a representative sample |
Evidence Types
| Type | Description | Examples |
|---|---|---|
| Inquiry | Verbal or written descriptions from personnel | Interview notes, written responses |
| Observation | Auditor witnesses control in operation | Process walkthroughs, live demonstrations |
| Inspection | Review of documents, records, or configurations | Policy documents, system screenshots, logs |
| Re-performance | Auditor re-executes the control to verify results | Access review validation, configuration checks |
Evidence by Control Area
Access Management
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Access provisioning | Provisioning policy, role matrix | Sample provisioning tickets with approvals (full period) |
| Access removal | Termination checklist, deprovisioning SOP | Sample termination events with access removal timestamps |
| Access reviews | Review policy, review template | Completed quarterly access review reports with sign-offs |
| MFA enforcement | MFA policy, configuration screenshot | MFA enrollment report showing 100% coverage |
| Privileged access | Privileged access policy, admin list | Quarterly privileged access reviews, admin activity logs |
Change Management
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Change authorization | Change management policy, workflow description | Sample change tickets with approvals, peer reviews |
| Testing requirements | Testing policy, test plan template | Test results for sampled changes, QA sign-offs |
| Emergency changes | Emergency change procedure | Emergency change tickets with post-hoc approvals |
| Deployment process | CI/CD documentation, deployment runbook | Deployment logs, rollback records |
| Code review | Code review policy | Pull request histories showing reviewer approvals |
Incident Response
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| IR plan | Incident response plan document | Plan review/update records, version history |
| IR testing | Tabletop exercise schedule | Tabletop exercise reports, lessons learned |
| Incident handling | Triage procedures, classification criteria | Incident tickets with timestamps, escalation records |
| Postmortems | Postmortem template, review process | Completed postmortem documents, follow-up actions |
| Communication | Communication plan, stakeholder list | Notification records, status page updates |
Vulnerability Management
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Scanning | Scanning schedule, tool configuration | Scan reports covering the full period (weekly/monthly) |
| Remediation SLAs | Remediation policy with SLA definitions | Remediation tracking showing SLA compliance rates |
| Patch management | Patching policy, schedule | Patch records, before/after scan comparisons |
| Penetration testing | Pentest policy, scope definition | Pentest reports (annual), remediation records |
Encryption and Data Protection
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Encryption at rest | Encryption policy, configuration docs | Configuration screenshots, encryption audit reports |
| Encryption in transit | TLS policy, minimum version requirements | TLS scan results, certificate inventory |
| Key management | Key management policy, rotation schedule | Key rotation logs, access records for key stores |
| DLP | DLP policy, tool configuration | DLP alert logs, incident records, exception approvals |
Backup and Recovery
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Backup procedures | Backup policy, schedule, retention rules | Backup success/failure logs (daily), retention compliance |
| DR planning | DR plan, recovery procedures | DR plan review records, update history |
| DR testing | DR test schedule, test plan | DR test reports with RTO/RPO measurements |
| BCP | BCP document, communication tree | BCP review records, test results |
Monitoring and Logging
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| SIEM/logging | Logging policy, SIEM configuration | Log retention evidence, alert samples, dashboard screenshots |
| Alert management | Alert rules, escalation procedures | Alert trigger samples, response records |
| Uptime monitoring | Monitoring tool configuration, SLA definitions | Uptime reports covering the full period |
| Anomaly detection | Detection rules, baseline configuration | Detection events, investigation records |
Policy and Governance
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Security policies | Policy library, version control | Policy acknowledgment records, annual review evidence |
| Security training | Training program description, content | Training completion records (all employees) |
| Risk assessment | Risk assessment methodology | Annual risk assessment report, risk register updates |
| Board oversight | Committee charter, reporting schedule | Board meeting minutes, security reports to leadership |
Vendor Management
| Control | Type I Evidence | Type II Evidence |
|---|---|---|
| Vendor inventory | Vendor register, classification criteria | Current vendor register with risk tiers |
| Vendor assessment | Assessment questionnaire, criteria | Completed assessments, vendor SOC reports collected |
| Contractual controls | DPA template, security requirements | Signed DPAs, contract review records |
| Ongoing monitoring | Monitoring schedule, reassessment triggers | Reassessment records, monitoring reports |
Evidence Automation
Automated Evidence Sources
| Evidence | Automation Approach | Tools |
|---|---|---|
| Access reviews | Scheduled IAM exports, automated review workflows | Okta, Azure AD, AWS IAM + Jira/ServiceNow |
| Configuration compliance | Infrastructure-as-code, policy-as-code scanning | Terraform, OPA, AWS Config, Azure Policy |
| Vulnerability scans | Scheduled scanning with report auto-generation | Nessus, Qualys, Snyk, Dependabot |
| Change management | Git-based audit trails (commits, PRs, approvals) | GitHub, GitLab, Bitbucket |
| Uptime monitoring | Continuous synthetic monitoring with SLA dashboards | Datadog, New Relic, PagerDuty, Pingdom |
| Backup verification | Automated backup validation and restore tests | AWS Backup, Veeam, custom scripts |
| Training completion | LMS with automated tracking and reminders | KnowBe4, Curricula, custom LMS |
| Policy acknowledgment | Digital signature workflows with tracking | DocuSign, HelloSign, internal tools |
Evidence Collection Script Pattern
1. Define evidence requirements per control
2. Map each requirement to a data source (API, log, screenshot)
3. Schedule automated collection (daily/weekly/monthly)
4. Store evidence with timestamps in a central repository
5. Generate collection status dashboard
6. Alert on missing or overdue evidence
Evidence Repository Structure
evidence/
├── {year}-{audit-period}/
│ ├── access-management/
│ │ ├── quarterly-access-review-Q1.pdf
│ │ ├── quarterly-access-review-Q2.pdf
│ │ ├── mfa-enrollment-report-2025-03.png
│ │ └── provisioning-samples/
│ ├── change-management/
│ │ ├── change-ticket-samples/
│ │ └── deployment-logs/
│ ├── incident-response/
│ │ ├── ir-plan-v3.2.pdf
│ │ ├── tabletop-exercise-2025-06.pdf
│ │ └── incident-tickets/
│ ├── vulnerability-management/
│ │ ├── scan-reports/
│ │ └── pentest-report-2025.pdf
│ ├── policies/
│ │ ├── information-security-policy-v4.pdf
│ │ └── acknowledgment-records/
│ └── vendor-management/
│ ├── vendor-register.csv
│ └── vendor-assessments/
Sampling Methodology
Auditors use sampling to test operating effectiveness. Understanding the methodology helps you prepare the right volume of evidence.
Sample Sizes by Control Frequency
| Control Frequency | Population Size (per period) | Typical Sample Size |
|---|---|---|
| Annual | 1 | 1 (all items) |
| Quarterly | 4 | 2-4 |
| Monthly | 6-12 | 2-5 |
| Weekly | 26-52 | 5-15 |
| Daily | 180-365 | 20-40 |
| Continuous/per-event | Varies | 25-60 |
Key Sampling Rules
- Higher frequency = larger sample — more occurrences mean more samples needed
- Automated controls — typically only 1 sample needed if the system is validated
- Exceptions must be explained — any deviation in a sample requires documentation
- Population completeness — you must provide the full population for the auditor to select from
Type I vs Type II Evidence Differences
| Aspect | Type I | Type II |
|---|---|---|
| Time scope | Single point in time | Entire observation period (3-12 months) |
| Volume | Lower — policies and configurations | Higher — ongoing logs, tickets, reports |
| Focus | "Is the control designed properly?" | "Did the control operate effectively?" |
| Exceptions | N/A | Must document and explain every exception |
| Owner sign-off | Policy approval records | Ongoing review sign-offs throughout the period |
Common Evidence Pitfalls
| Pitfall | Impact | Prevention |
|---|---|---|
| Screenshots without timestamps | Auditor cannot verify timing | Always include system clock or date stamps |
| Policies without version control | Cannot prove current vs outdated | Use document management with version tracking |
| Access reviews without sign-off | Cannot prove review was completed | Require digital approval/sign-off on every review |
| Gaps in monitoring data | Suggests control was not operating | Ensure logging continuity; document any outages |
| Evidence from wrong period | Does not cover the observation window | Verify date ranges before submission |
| Redacted evidence without explanation | Auditor may question completeness | Provide redaction rationale and methodology |
| Self-generated evidence only | Lower reliability in auditor's assessment | Include system-generated and third-party evidence |
| Missing exception documentation | Auditor flags as control failure | Document every exception with root cause and remediation |