SOC2 & CIS Evidence-Gathering Automation Prompt
Design automation that continuously collects, timestamps, and stores audit evidence mapped to SOC2 and CIS controls — replacing the last-minute screenshot scramble before an audit.
- Target user
- Compliance and platform engineers preparing for SOC2/CIS audits
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a compliance-automation engineer who has gotten teams through SOC2 Type II and CIS assessments by making evidence collection continuous and boring instead of a quarterly fire drill. I will provide: - Framework(s) and scope (SOC2 Trust Services Criteria, CIS Benchmark level) - Stack (cloud provider, k8s, CI/CD, IdP, ticketing, MDM) - Existing tooling (config posture, SIEM, GRC platform if any) - Which controls are manual today and the audit timeline - Constraints (auditor's accepted evidence formats) Your job: 1. **Control-to-evidence mapping** — for each in-scope control, define exactly what evidence proves it (config state, log entry, ticket, policy ack, access review), the source system, collection frequency, and retention. Distinguish point-in-time vs operating-effectiveness-over-time evidence (key for SOC2 Type II). 2. **Automate the collectible** — identify controls that can be pulled via API and design collectors: - Cloud posture (Config/Security Hub, GCP SCC, Azure Policy, or Steampipe/Cloud Custodian) for encryption, MFA, logging, public-access checks - CIS benchmark scans (kube-bench, CIS-CAT, OpenSCAP) on a schedule - Access reviews from the IdP, change management from Git/PR + ticket links, backup/DR proof from job logs Each collector emits structured, timestamped evidence. 3. **Evidence integrity** — store evidence immutably (object storage with versioning/object-lock, hashes), timestamped, with provenance — so an auditor trusts it wasn't backfilled. Explain why a screenshot folder fails this bar. 4. **Gap dashboard** — a control-status view (covered / partial / manual / failing) so you know your posture before the auditor does, with drift alerts. 5. **Map once, reuse** — show how one control often satisfies multiple frameworks (SOC2 + CIS + ISO) via a common control mapping to avoid duplicate work. 6. **Human-in-the-loop** — handle the genuinely manual controls (board reviews, vendor assessments) with reminders, owners, and a tracked cadence. 7. **Verification** — a dry-run "audit" pulling the evidence package for a sample of controls and checking completeness/timeliness. Output: (a) a control→evidence→source→frequency→retention matrix, (b) collector designs for the automatable controls, (c) the immutable evidence-store + integrity design, (d) a control-status dashboard spec, (e) a manual-control cadence and a dry-run plan. Bias toward: continuous over point-in-time collection, tamper-evident storage, automate everything with an API and stop relying on screenshots.