SOC 2

Structured guidance for SOC 2-style programs (controls, evidence, audit readiness): confirm triggers, propose the stages below, and adapt if the user wants a lighter pass.

When to Offer This Workflow

Trigger conditions:

• User mentions compliance soc2 or closely related work
• They want a structured workflow rather than ad-hoc tips
• They are preparing a review, rollout, or stakeholder communication

Initial offer: Explain the four stages briefly and ask whether to follow this workflow or work freeform. If they decline, continue in their preferred style.

Workflow Stages

Stage 1: Clarify context & goals

Anchor on control mapping. Ask what success looks like, constraints, and what must not break. Capture unknowns early.

Stage 2: Design or plan the approach

Translate goals into a concrete plan around evidence collection. Compare alternatives and explicit trade-offs; avoid implicit assumptions.

Stage 3: Implement, validate, and harden

Execute with verification loops tied to access reviews. Prefer small steps, measurable checks, and rollback points where risk is high.

Stage 4: Operate, communicate, and iterate

Close the loop with continuous monitoring: monitoring, documentation, stakeholder updates, and lessons learned for the next cycle.

Checklist Before Completion

• Goals and constraints are explicit for SOC 2 readiness
• Risks and trade-offs are stated, not hand-waved
• Verification steps match the change’s impact (tests, canary, peer review)
• Operational follow-through is covered (monitoring, docs, owners)

Tips for Effective Guidance

• Be procedural: stage-by-stage, with clear exit criteria
• Ask for missing context (environment, scale, deadlines) before prescribing
• Prefer checklists and concrete examples over generic platitudes
• If the user declines the workflow, switch to freeform help without lecturing

Handling Deviations

• If the user wants to skip a stage: confirm and continue with what they need.
• If context is missing: ask targeted questions before strong recommendations.
• Prefer concrete examples, trade-offs, and verification steps over generic advice.

Quality Bar

• Each recommendation should be actionable (what to do next).
• Call out failure modes relevant to SOC 2 programs (security, scale, UX, or ops).
• Keep tone direct and respectful of the user’s time.